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Abstract 
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Chapter 1. introduction to users 


This little chapter will teach you how to identify your user account on a Unix computer using 
commands like who am i, id, and more. 


In a second part you will learn how to become another user with the su command. 


And you will learn how to run a program as another user with sudo. 
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1.1. whoami 


The whoami command tells you your username. 
[paul@centos7 ~]$ whoami 


paul 
[paul@centos7 ~]$ 


1.2. who 


The who command will give you information about who is logged on the system. 


[paul@centos7 ~]$ who 


root pts/0 Z20L4=hO=N0) 2307 WhO. 204. 33. 01) 
paul pts/1 OLA ALL) SiO S10) (CRO) 5 ARO ShSie iL(0)a0)) 
laura pts/2 2014-10-10 23334 (10,104.33 .96) 
tania pts/3 ZOLA TOTO 25s 9. CLO moa 3 S91) 


[paul@centos7 ~]$ 


1.3. who am I 


With who am i the who command will display only the line pointing to your current session. 
[paul@centos7 ~]$ who am i 


paul pts/1 Z0TASNO= 10 2385 310) (Oe. 337. On) 
[paul@centos7 ~]$ 


1.4. w 


The w command shows you who is logged on and what they are doing. 


[paul@centos7 ~]S w 
23034207 “ap, Simin, 2 users, load average: 0.00, 0.01, 0.02 
USER HALE LOGIN@ IDLE JCeU PCPU WHAT 
root pts/0 23307 15. 00s, WOS0ts: OF 0is top 
paul pts/1 AAS SHO) 7.00s 0.00s 0.00s w 


[paul@centos7 ~]$ 


1.5. id 


The id command will give you your user id, primary group id, and a list of the groups that 
you belong to. 


paul@debian7:~$ id 
uid=1000 (paul) gid=1000(paul) groups=1000 (paul) 


On RHEL/CentOS you will also get SELinux context information with this command. 


[root@centos7 ~]# id 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r\ 
:unconfined_t:s0-s0:c0.c1023 
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1.6. su to another user 


The su command allows a user to run a shell as another user. 


laura@debian7:~S su tania 
Password: 
tania@debian7:/home/laura$ 


1.7. su to root 


Yes you can also su to become root, when you know the root password. 


laura@debian7:~$ su root 
Password: 
root@debian7: /home/laura# 


1.8. su as root 


You need to know the password of the user you want to substitute to, unless your are logged 
in as root. The root user can become any existing user without knowing that user's password. 


root@debian7:~# id 

uid=0 (root) gid=0(root) groups=0 (root) 
root@debian7:~# su —- valentina 
valentina@debian7:~$ 


1.9. su - $username 


By default, the su command maintains the same shell environment. To become another user 


and also get the target user's environment, issue the su - command followed by the target 
username. 


root@debian7:~# su laura 
laura@debian7:/rootS exit 
exit 

root@debian7:~# su — laura 
laura@debian7:~$ pwd 
/home/laura 


1.10. su - 


When no username is provided to su or su -, the command will assume root is the target. 


tania@debian7:~$ su —- 
Password: 
root@debian7:~# 
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1.11. run a program as another user 


The sudo program allows a user to start a program with the credentials of another user. 
Before this works, the system administrator has to set up the /ete/sudoers file. This can be 
useful to delegate administrative tasks to another user (without giving the root password). 


The screenshot below shows the usage of sudo. User paul received the right to run useradd 
with the credentials of root. This allows paul to create new users on the system without 
becoming root and without knowing the root password. 


First the command fails for paul. 


paul@debian7:~$ /usr/sbin/useradd -m valentina 
useradd: Permission denied. 
useradd: cannot lock /etc/passwd; try again later. 


But with sudo it works. 


paul@debian7:~$ sudo /usr/sbin/useradd -m valentina 
[sudo] password for paul: 
paul@debian7:~$ 


1.12. visudo 


Check the man page of visudo before playing with the /etc/sudoers file. Editing the sudoers 
is out of scope for this fundamentals book. 


paul@rhel65:~S apropos visudo 
visudo (8) - edit the sudoers file 
paul@rhel65:~$ 
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1.13. sudo su - 


On some Linux systems like Ubuntu and Xubuntu, the root user does not have a password 
set. This means that it is not possible to login as root (extra security). To perform tasks as 
root, the first user is given all sudo rights via the /etc/sudoers. In fact all users that are 
members of the admin group can use sudo to run all commands as root. 


root@laika:~# grep admin /etc/sudoers 
# Members of the admin group may gain root privileges 
Sacmen | Alt (Adaiy)) Al 


The end result of this is that the user can type sudo su - and become root without having to 
enter the root password. The sudo command does require you to enter your own password. 
Thus the password prompt in the screenshot below is for sudo, not for su. 


paul@laika:~$ sudo su — 
Password: 
root@laika:~# 


1.14. sudo logging 


Using sudo without authorization will result in a severe warning: 
paul@rhel65:~S sudo su —- 


We trust you have received the usual lecture from the local System 
Administrator. It usually boils down to these three things: 


#1) Respect the privacy of others. 
#2) Think before you type. 
#3) With great power comes great responsibility. 


[sudo] password for paul: 
paul is not in the sudoers file. This incident will be reported. 
paul@rhel65:~$ 


The root user can see this in the /var/log/secure on Red Hat and in /var/log/auth.log on 
Debian). 


root@rhel65:~# tail /var/log/secure | grep sudo | tr-s ' '! 

Apr 13 16:03:42 rhel65 sudo: paul : user NOT in sudoers ; TTY=pts/0 ; PWD=\ 
/home/paul ; USER=root ; COMMAND=/bin/su - 

root@rhel65:~# 
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1.15. practice: introduction to users 


1. Run a command that displays only your currently logged on user name. 
2. Display a list of all logged on users. 


3. Display a list of all logged on users including the command they are running at this very 
moment. 


4. Display your user name and your unique user identification (userid). 


5. Use su to switch to another user account (unless you are root, you will need the password 
of the other account). And get back to the previous account. 


6. Now use su - to switch to another user and notice the difference. 
Note that su - gets you into the home directory of Tania. 


7. Try to create a new user account (when using your normal user account). this should fail. 
(Details on adding user accounts are explained in the next chapter.) 


8. Now try the same, but with sudo before your command. 
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1.16. solution: introduction to users 


1. Run a command that displays only your currently logged on user name. 


laura@debian7:~S whoami 
laura 

laura@debian7:~$ echo S$SUSER 
laura 


2. Display a list of all logged on users. 


laura@debian7:~$ who 
laura pts/0 ENO AM) SS (OS AAA {CAL(O) ALCO) SSS) 10) 1h) 
laura@debian7:~$ 


3. Display a list of all logged on users including the command they are running at this very 
moment. 


laura@debian7:~S w 
OW 347302) aio sor mani, 2 users, load average: 0.00, 0.00, 0.00 


USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 
root pts/0 OR OAR eS ead OB S30) 6.00s 0.04s 0.00s w 
root pts/1 WO) SALONS Si sk5 iL ()al 07:46 6.00s 0.01s 0.00s sleep 42 


laura@debian7:~$ 


4. Display your user name and your unique user identification (userid). 


laura@debian7:~$ id 
uid=1005(laura) gid=1007(laura) groups=1007 (laura) 
laura@debian7:~$ 


5. Use su to switch to another user account (unless you are root, you will need the password 
of the other account). And get back to the previous account. 


laura@debian7:~S su tania 

Password: 

tania@debian7:/home/laura$ id 

uid=1006(tania) gid=1008(tania) groups=1008 (tania) 
tania@debian7:/home/laura$ exit 

laura@debian7:~S$ 


6. Now use su - to switch to another user and notice the difference. 


laura@debian7:~$ su - tania 
Password: 

tania@debian7:~$ pwd 
/home/tania 
tania@debian7:~$ logout 
laura@debian7:~$ 


Note that su - gets you into the home directory of Tania. 
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7. Try to create a new user account (when using your normal user account). this should fail. 
(Details on adding user accounts are explained in the next chapter.) 


laura@debian7:~$ useradd valentina 

-su: useradd: command not found 

laura@debian7:~$ /usr/sbin/useradd valentina 
useradd: Permission denied. 

useradd: cannot lock /etc/passwd; try again later. 


It is possible that useradd is located in /sbin/useradd on your computer. 


8. Now try the same, but with sudo before your command. 
laura@debian7:~$ sudo /usr/sbin/useradd valentina 
[sudo] password for laura: 


laura is not in the sudoers file. This incident will be reported. 
laura@debian7:~$ 


Notice that laura has no permission to use the sudo on this system. 
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Chapter 2. user management 


This chapter will teach you how to use useradd, usermod and userdel to create, modify 
and remove user accounts. 


You will need root access on a Linux computer to complete this chapter. 
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2.1. user management 


User management on Linux can be done in three complementary ways. You can use the 
graphical tools provided by your distribution. These tools have a look and feel that depends 
on the distribution. If you are a novice Linux user on your home system, then use the 
graphical tool that is provided by your distribution. This will make sure that you do not run 
into problems. 


Another option is to use command line tools like useradd, usermod, gpasswd, passwd and 
others. Server administrators are likely to use these tools, since they are familiar and very 
similar across many different distributions. This chapter will focus on these command line 
tools. 


A third and rather extremist way is to edit the local configuration files directly using vi (or 
vipw/vigr). Do not attempt this as a novice on production systems! 


2.2. /etc/passwd 


The local user database on Linux (and on most Unixes) 1s /etc/passwd. 


[root@RHEL5 ~]# tail /etc/passwd 

inge:x:518:524:art dealer:/home/inge:/bin/ksh 
ann:x:519:525:flute player:/home/ann:/bin/bash 
frederik:x:520:526:rubius poet:/home/frederik:/bin/bash 
steven:x:521:527:roman emperor:/home/steven:/bin/bash 
pascale:x:522:528:artist:/home/pascale:/bin/ksh 
geert:x:524:530:kernel developer: /home/geert:/bin/bash 
wim:x:525:531:master damuti:/home/wim:/bin/bash 
sandra:x:526:532:radish stresser:/home/sandra:/bin/bash 
annelies:x:527:533:sword fighter: /home/annelies:/bin/bash 
laura:x:528:534:art dealer: /home/laura:/bin/ksh 


As you can see, this file contains seven columns separated by a colon. The columns contain 
the username, an x, the user id, the primary group id, a description, the name of the home 
directory, and the login shell. 


More information can be found by typing man 5 passwd. 


[root@RHEL5 ~]# man 5 passwd 


2.3. root 


The root user also called the superuser is the most powerful account on your Linux system. 
This user can do almost anything, including the creation of other users. The root user always 
has userid O (regardless of the name of the account). 


[root@RHEL5 ~]# head -1 /etc/passwd 
BOO O 0 ao Oin, HOCt bin) basin 
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2.4. useradd 


You can add users with the useradd command. The example below shows how to add a 
user named yanina (last parameter) and at the same time forcing the creation of the home 
directory (-m), setting the name of the home directory (-d), and setting a description (-c). 


[root@RHEL5 ~]# useradd -m -d /home/yanina -c "yanina wickmayer" yanina 
[root@RHEL5 ~]# tail -1 /etc/passwd 
yanina:x*:529:529:yanina wickmayer:/home/yanina:/bin/bash 


The user named yanina received userid 529 and primary group id 529. 


2.5. /etc/default/useradd 


Both Red Hat Enterprise Linux and Debian/Ubuntu have a file called /etc/default/useradd 
that contains some default user options. Besides using cat to display this file, you can also 
use useradd -D. 


[root@RHEL4 ~]# useradd -D 
GROUP=100 

HOME=/home 

INACTIVE=-1 

EXPIRE= 

SHELL=/bin/bash 
SKEL=/etc/skel 


2.6. userdel 


You can delete the user yanina with userdel. The -r option of userdel will also remove the 
home directory. 


[root@RHEL5 ~]# userdel -r yanina 


2./. usermod 


You can modify the properties of a user with the usermod command. This example uses 
usermod to change the description of the user harry. 


[root@RHEL4 ~]# tail -1 /etc/passwd 
harry:x:516:520:harry potter:/home/harry:/bin/bash 
[root@RHEL4 ~]# usermod -c 'wizard' harry 
[root@RHEL4 ~]# tail -1 /etc/passwd 
harry:x:516:520:wizard: /home/harry:/bin/bash 
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2.8. creating home directories 


The easiest way to create a home directory is to supply the -m option with useradd (it is 
likely set as a default option on Linux). 


A less easy way is to create a home directory manually with mkdir which also requires 
setting the owner and the permissions on the directory with chmod and chown (both 
commands are discussed in detail in another chapter). 


[root@RHEL5 ~]# mkdir /home/laura 

[root@RHEL5 ~]# chown laura:laura /home/laura 
[root@RHEL5 ~]# chmod 700 /home/laura 

[root@RHEL5 ~]# 1s -ld /home/laura/ 

drwx-----— 2 laura laura 4096 Jun 24 15:17 /home/laura/ 


2.9. /etc/skel/ 


When using useradd the -m option, the /etc/skel/ directory is copied to the newly created 
home directory. The /ete/skel/ directory contains some (usually hidden) files that contain 
profile settings and default values for applications. In this way /etc/skel/ serves as a default 
home directory and as a default user profile. 


[root@RHEL5 ~]# 1s -la /etc/skel/ 

total 48 

chaipa—.ca—< 2 faerie saeyoye, | AOE youd il (0g ahik 

oliaip cia —>.cie—><) 8)7/ aetoloye, saroyoye, IAA Tee) aban 2Ab ilsye SiG) Se 

aa\ij—ie——1e—— il iatovoyEe. saleKoye 24 Jul 12 2006 .bash_logout 

Heya —= il ieCioNE OO 176 Jul 12 2006 .bash_profile 
al 


Sawa te root root 124 duly 27 2006  bashre 


2.10. deleting home directories 


The -r option of userdel will make sure that the home directory is deleted together with the 
user account. 


[root@RHEL5 ~]# 1s -ld /home/wim/ 

olraip— 2 wim wim 4096 Jun 24 15:19 /home/wim/ 
[root@RHEL5 ~]# userdel -r wim 

[root@RHEL5 ~]# 1s -ld /home/wim/ 

ls: /home/wim/: No such file or directory 
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2.11. login shell 


The /etc/passwd file specifies the login shell for the user. In the screenshot below you can 
see that user annelies will log in with the /bin/bash shell, and user laura with the /bin/ksh 
shell. 


[root@RHEL5 ~]# tail -2 /etc/passwd 
annelies:x:527:533:sword fighter:/home/annelies:/bin/bash 
laura:x:528:534:art dealer: /home/laura:/bin/ksh 


You can use the usermod command to change the shell for a user. 


[root@RHEL5 ~]# usermod -s /bin/bash laura 
[root@RHEL5 ~]# tail -1 /etc/passwd 
laura:x:528:534:art dealer:/home/laura:/bin/bash 


2.12. chsh 


Users can change their login shell with the chsh command. First, user harry obtains a list of 
available shells (he could also have done a cat /etc/shells) and then changes his login shell 
to the Korn shell (/bin/ksh). At the next login, harry will default into ksh instead of bash. 


[laura@centos7 ~]$ chsh -1 
/bin/sh 

/bin/bash 
/sbin/nologin 
/usr/bin/sh 
/usr/bin/bash 
/usr/sbin/nologin 
/bin/ksh 

/bin/tcsh 

/bin/csh 
[laura@centos7 ~]$ 


Note that the -1 option does not exist on Debian and that the above screenshot assumes that 
ksh and csh shells are installed. 


The screenshot below shows how laura can change her default shell (active on next login). 


[laura@centos7 ~]$ chsh -s /bin/ksh 
Changing shell for laura. 

Password: 

Shell changed. 
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2.13. practice: user management 


1. Create a user account named serena, including a home directory and a description (or 
comment) that reads Serena Williams. Do all this in one single command. 


2. Create a user named venus, including home directory, bash shell, a description that reads 
Venus Williams all in one single command. 


3. Verify that both users have correct entries in /etc/passwd, /etc/shadow and /etc/group. 
4. Verify that their home directory was created. 
5. Create a user named einstime with /bin/date as his default logon shell. 


7. What happens when you log on with the einstime user ? Can you think of a useful real 
world example for changing a user's login shell to an application ? 


8. Create a file named welcome.txt and make sure every new user will see this file in their 
home directory. 


9. Verify this setup by creating (and deleting) a test user account. 


10. Change the default login shell for the serena user to /bin/bash. Verify before and after 
you make this change. 
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2.14. solution: user management 


1. Create a user account named serena, including a home directory and a description (or 
comment) that reads Serena Williams. Do all this in one single command. 


root@debian7:~# useradd -m -c 'Serena Williams' serena 


2. Create a user named venus, including home directory, bash shell, a description that reads 
Venus Williams all in one single command. 


root@debian7:~# useradd -m -c "Venus Williams" -s /bin/bash venus 


3. Verify that both users have correct entries in /etc/passwd, /etc/shadow and /etc/group. 


root@debian7:~# tail -2 /etc/passwd 
serena:x:1008:1010:Serena Williams: /home/serena:/bin/sh 
venus:x:1009:1011:Venus Williams: /home/venus:/bin/bash 
root@debian7:~# tail -2 /etc/shadow 
Sememales 6s 510 10 OOOO meres 

venus 16358202 999997 ss: 

root@debian7:~# tail -2 /etc/group 

serena:x:1010: 

venus:x:1011: 


4. Verify that their home directory was created. 
root@debian7:~# 1s -1lrt /home | tail -2 
drwxr-xr-x 2 serena serena 4096 Oct 15 10:50 serena 


drwxr-xr-x 2 venus venus 4096 Oct 15 10:59 venus 
root@debian7:~# 


5. Create a user named einstime with /bin/date as his default logon shell. 


root@debian7:~# useradd -s /bin/date einstime 


Or even better: 


root@debian7:~# useradd -s $(which date) einstime 


7. What happens when you log on with the einstime user ? Can you think of a useful real 
world example for changing a user's login shell to an application ? 
root@debian7:~# su -— einstime 


Wed Oct 15 11:05:56 UTC 2014 # You get the output of the date command 
root@debian7:~# 


It can be useful when users need to access only one application on the server. Just logging 
in opens the application for them, and closing the application automatically logs them out. 
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8. Create a file named welcome.txt and make sure every new user will see this file in their 
home directory. 


root@debian7:~# echo Hello > /etc/skel/welcome.txt 


9. Verify this setup by creating (and deleting) a test user account. 


root@debian7:~# useradd -m test 
root@debian7:~# 1s -l1 /home/test 
total 4 
Tee — 36 1 test test 6 Oct 15 11:16 welcome.txt 
root@debian7:~# userdel -r test 
root @debian7:~# 


10. Change the default login shell for the serena user to /bin/bash. Verify before and after 
you make this change. 


root@debian7:~# grep serena /etc/passwd 
serena:x:1008:1010:Serena Williams: /home/serena:/bin/sh 
root@debian7:~# usermod -s /bin/bash serena 
root@debian7:~# grep serena /etc/passwd 
serena:x:1008:1010:Serena Williams: /home/serena:/bin/bash 
root @debian7:~# 
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Chapter 3. user passwords 


This chapter will tell you more about passwords for local users. 


Three methods for setting passwords are explained; using the passwd command, using 
openssel passwd, and using the crypt function in a C program. 


The chapter will also discuss password settings and disabling, suspending or locking 
accounts. 
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3.1. passwd 


Passwords of users can be set with the passwd command. Users will have to provide their 
old password before twice entering the new one. 


[tania@centos7 ~]$ passwd 

Changing password for user tania. 

Changing password for tania. 

(current) UNIX password: 

New password: 

BAD PASSWORD: The password is shorter than 8 characters 
New password: 

BAD PASSWORD: The password is a palindrome 

New password: 

BAD PASSWORD: The password is too similar to the old one 
passwd: Have exhausted maximum number of retries for service 


As you can see, the passwd tool will do some basic verification to prevent users from using 
too simple passwords. The root user does not have to follow these rules (there will be 
a warning though). The root user also does not have to provide the old password before 
entering the new password twice. 


root@debian7:~# passwd tania 

Enter new UNIX password: 

Retype new UNIX password: 

passwd: password updated successfully 


3.2. shadow file 


User passwords are encrypted and kept in /etc/shadow. The /etc/shadow file is read only 
and can only be read by root. We will see in the file permissions section how it is possible 
for users to change their password. For now, you will have to know that users can change 
their password with the /usr/bin/passwd command. 


[root@centos7 ~]# tail -4 /etc/shadow 
paul:S6Sikp2Xta5BT.Tml.p$2TZjNnOYNNOQKpwLJqoGJbVsZG5/Fti80vBRd.VzRbiDS17TEq\ 
TaSMH.TeBKnTS/Sj1Mruw8qffCOJNORW.BTW1:16338:0:99999:7::: 
tania: $6$82Z/zovxj$9qvoqT8i9KIrmN. k4EQwAF5ryz5yzNwEvyY jAa9L5XVXQu. z4D1pvMREH \ 
eQpOzvRngFdKkVj17H5ST.c79HDZw0:16356:0:99999:7::: 

laura: $6$glDuTY5eS$/NYYWLxfHgZFWeoujaXSMcR.Mz.1GOxtcxFocFVJINb98nbTPhWFXfKWG\ 
SyYh1WCv6763Wq54.w24Yr3uAZBOm/:16356:0:99999:7::: 

valentina:$6$ jrZa6PVIS1luQgqR6En9mZB6mKJ3LXRB4CnFko6LRhbh.v4iquk9MVreuillv7\ 
GxHOUDSKAON55ZRNhGHa6T2ouFnVno/001:16356:0:99999:7::: 

[root@centos7 ~]# 


The /etc/shadow file contains nine colon separated columns. The nine fields contain (from 
left to right) the user name, the encrypted password (note that only inge and laura have an 
encrypted password), the day the password was last changed (day 1 is January 1, 1970), 
number of days the password must be left unchanged, password expiry day, warning number 
of days before password expiry, number of days after expiry before disabling the account, 
and the day the account was disabled (again, since 1970). The last field has no meaning yet. 


All the passwords in the screenshot above are hashes of hunter2. 
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3.3. encryption with passwd 


Passwords are stored in an encrypted format. This encryption is done by the crypt function. 
The easiest (and recommended) way to add a user with a password to the system is to add 
the user with the useradd -m user command, and then set the user's password with passwd. 


[root@RHEL4 ~]# useradd -m xavier 

[root@RHEL4 ~]# passwd xavier 

Changing password for user xavier. 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully. 
[root@RHEL4 ~]# 


3.4. encryption with openssl 


Another way to create users with a password is to use the -p option of useradd, but that 
option requires an encrypted password. You can generate this encrypted password with the 
openssl passwd command. 


The openssl passwd command will generate several distinct hashes for the same password, 
for this it uses a salt. 


paul@rhel65:~$ openssl passwd hunter2 
86jCcUN1LNGDFpY 
paul@rhel65:~$ openssl passwd hunter2 
Yj7mDO9OAnVG6 
paul@rhel65:~$ openssl passwd hunter2 
YqDcJeGoDbzKA 
paul@rhel65:~$ 


This salt can be chosen and is visible as the first two characters of the hash. 


paul@rhel65:~$ openssl passwd -salt 42 hunter2 
42ZrbtP12Ze8G. 

paul@rhel65:~$ openssl passwd -salt 42 hunter2 
42ZrbtP1Ze8G. 

paul@rhel65:~$ openssl passwd -salt 42 hunter2 
42ZrbtP1Ze8G. 

paul@rhel65:~$ 


This example shows how to create a user with password. 


root@rhel65:~# useradd -m -p $(openssl passwd hunter2) mohamed 


Note that this command puts the password in your command history! 
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3.5. encryption with crypt 


A third option is to create your own C program using the crypt function, and compile this 
into a command. 


paul@rhel65:~S cat MyCrypt.c 
#include <stdio.h> 

#define __USE_XOPEN 

#include <unistd.h> 


int matni(Gdint arge, char** vargy) 
{ 
if (argc==3) 
{ 
Print ( ls\at, crypt (argv ll jargvl2 |) )- 
} 


else 
i 

printf ("Usage: MyCrypt S$password $salt\n" ); 
} 


return 0; 


} 


This little program can be compiled with gcc like this. 


paul@rhel65:~$ gece MyCrypt.c -o MyCrypt -lcrypt 


To use it, we need to give two parameters to MyCrypt. The first is the unencrypted password, 
the second is the salt. The salt is used to perturb the encryption algorithm in one of 4096 
different ways. This variation prevents two users with the same password from having the 
same entry in /etc/shadow. 


paul@rhel65:~$ ./MyCrypt hunter2 42 
42ZrbtP1Ze8G. 
paul@rhel65:~$ ./MyCrypt hunter2 33 
33d6taYSiEUXI 


Did you notice that the first two characters of the password are the salt? 


The standard output of the crypt function is using the DES algorithm which is old and can 
be cracked in minutes. A better method is to use md5 passwords which can be recognized 
by a salt starting with $1$. 


paul@rhel65:~$ ./MyCrypt hunter2 '$1$42' 

$1$42$716Y3xT5282XmZrtDOF 9f0 

paul@rhel65:~S ./MyCrypt hunter2 '$6$42' 
$6$42SOqgFFAVnI3gTSYGOyI19TZWX9cpyOzwlop7HwpG1LLESNBiMr4w6OvLX1KDa./UpwXfrFkli... 


The md5 salt can be up to eight characters long. The salt is displayed in /etc/shadow between 
the second and third $, so never use the password as the salt! 


paul@rhel65:~S ./MyCrypt hunter2 '$1S$hunter2' 
$1Shunter2SYVxrxDmidq7Xf8Gdt 6qM2. 
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3.6. /etc/login.defs 


The /etc/login.defs file contains some default settings for user passwords like password 
aging and length settings. (You will also find the numerical limits of user ids and group ids 
and whether or not a home directory should be created by default). 


root@rhel65:~# grep “PASS /etc/login.defs 
PASS_MAX_DAYS QII9®) 

PASS_MIN_DAYS 0 

PASS_MIN_LEN 5 

PASS_WARN_AGE 7 


Debian also has this file. 


root@debian7:~# grep PASS /etc/login.defs 


# PASS MAX DAYS Maximum number of days a password may be used. 
# PASS _MIN_DAYS Minimum number of days allowed between password changes. 
# PASS _WARN_AGE Number of days warning given before a password expires. 


PASS_MAX_ DAYS O99 
PASS_MIN_DAYS 0 
PASS_WARN_AGE 7 
#PASS_ CHANGE TRIES 
#PASS_ ALWAYS WARN 
#PASS_MIN_LEN 
#PASS_MAX LEN 

# NO_PASSWORD_CONSOLE 
root @debian7:~# 


3./. chage 


The chage command can be used to set an expiration date for a user account (-E), set a 
minimum (-m) and maximum (-M) password age, a password expiration date, and set the 
number of warning days before the password expiration date. Much of this functionality is 
also available from the passwd command. The -I option of chage will list these settings for 


a user. 


root@rhel65:~# chage -1 paul 

Last password change 

Password expires 

Password inactive 

Account expires 

Minimum number of days between password change 
Maximum number of days between password change 
Number of days of warning before password expires 
root@rhel65:~# 


Mar 27, 2014 
never 

never 

never 

0 

99999) 

7 
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3.8. disabling a password 


Passwords in /etc/shadow cannot begin with an exclamation mark. When the second field 
in /etc/passwd starts with an exclamation mark, then the password can not be used. 


Using this feature is often called locking, disabling, or suspending a user account. Besides 
vi (or vipw) you can also accomplish this with usermod. 


The first command in the next screenshot will show the hashed password of laura in /etc/ 
shadow. The next command disables the password of laura, making it impossible for Laura 
to authenticate using this password. 


root@debian7:~# grep laura /etc/shadow | cut -c1-70 
laura: S6SJYj4IZqpSstwwWACp30tE1R2aZuE87j.nbW.puDkNUYVk 7mCH£fCVMa3CoDUJV 
root@debian7:~# usermod -L laura 


As you can see below, the password hash is simply preceded with an exclamation mark. 


root@debian7:~# grep laura /etc/shadow | cut -c1-70 
laura: !S6SJYj40Zqp$ st wwWACp30tE1R2aZuE87j.nbW.puDkNUYVk7mCH£CVMa3CoDUIT 
root @debian7:~# 


The root user (and users with sudo rights on su) still will be able to su into the laura account 
(because the password is not needed here). Also note that laura will still be able to login 
if she has set up passwordless ssh! 


root@debian7:~# su — laura 
laura@debian7:~$ 


You can unlock the account again with usermod -U. 


root@debian7:~# usermod —-U laura 
root@debian7:~# grep laura /etc/shadow | cut -c1-70 
laura: S6SJYj4IZqpSstwwWACp30tE1R2aZuE87j.nbW.puDkNUYVk 7mCH£fCVMa3CoDUJV 


Watch out for tiny differences in the command line options of passwd, usermod, and 
useradd on different Linux distributions. Verify the local files when using features like 
"disabling, suspending, or locking" on user accounts and their passwords. 


3.9. editing local files 


If you still want to manually edit the /etc/passwd or /etc/shadow, after knowing these 
commands for password management, then use vipw instead of vi(m) directly. The vipw 
tool will do proper locking of the file. 


[root@RHEL5 ~]# vipw /etc/passwd 
vipw: the password file is busy (/etc/ptmp present) 
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3.10. practice: user passwords 


1. Set the password for serena to hunter2. 


2. Also set a password for venus and then lock the venus user account with usermod. Verify 
the locking in /etc/shadow before and after you lock it. 


3. Use passwd -d to disable the serena password. Verify the serena line in /etc/shadow 
before and after disabling. 


4. What is the difference between locking a user account and disabling a user account's 
password like we just did with usermod -L and passwd -d? 


5. Try changing the password of serena to serena as serena. 
6. Make sure serena has to change her password in 10 days. 
7. Make sure every new user needs to change their password every 10 days. 


8. Take a backup as root of /etc/shadow. Use vi to copy an encrypted hunter2 hash from 
venus to serena. Can serena now log on with hunter2 as a password ? 


9. Why use vipw instead of vi ? What could be the problem when using vi or vim ? 


10. Use chsh to list all shells (only works on RHEL/CentOS/Fedora), and compare to cat / 
etc/shells. 


11. Which useradd option allows you to name a home directory ? 


12. How can you see whether the password of user serena is locked or unlocked ? Give a 
solution with grep and a solution with passwd. 
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3.11. solution: user passwords 


1. Set the password for serena to hunter2. 


root@debian7:~# passwd serena 

Enter new UNIX password: 

Retype new UNIX password: 

passwd: password updated successfully 


2. Also set a password for venus and then lock the venus user account with usermod. Verify 
the locking in /etc/shadow before and after you lock it. 


root@debian7:~# passwd venus 

Enter new UNIX password: 

Retype new UNIX password: 

passwd: password updated successfully 

root@debian7:~# grep venus /etc/shadow | cut -c1-70 

venus : $6SgswzXICWSuSnKFV1kFKZmTPaMVS 4AVNA/KO270xNOV5LHdV9ed0gTyXr jUeM/ 
root@debian7:~# usermod —-L venus 

root@debian7:~# grep venus /etc/shadow | cut -c1-70 

venus: ! S6SgswzXICWSuSnKFV1LkFKZmTPaMVS4AVNA/KO270xNOv5LHdV9ed0gTyXr jUeM 


Note that usermod -L precedes the password hash with an exclamation mark (!). 


3. Use passwd -d to disable the serena password. Verify the serena line in /etc/shadow 


before and after disabling. 

root@debian7:~# grep serena /etc/shadow | cut -—c1-70 

serena: $6SEs/omrPESF2Ypu8kpLrfKdWO0v/UIWAS5 jrYyBD2nwZ/dt.i/IypRgiPZSdB/B 
root@debian7:~# passwd -d serena 

passwd: password expiry information changed. 

root@debian7:~# grep serena /etc/shadow 


Semenanc 6s aC Us 99 SOO ie si: 
root @debian7:~# 


4. What is the difference between locking a user account and disabling a user account's 
password like we just did with usermod -L and passwd -d? 


Locking will prevent the user from logging on to the system with his password by putting 
a ! in front of the password in /etc/shadow. 


Disabling with passwd will erase the password from /etc/shadow. 


5. Try changing the password of serena to serena as serena. 


log on as serena, then execute: passwd serena... it should fail! 


6. Make sure serena has to change her password in 10 days. 


chage -M 10 serena 


7. Make sure every new user needs to change their password every 10 days. 


vi /etc/login.defs (and change PASS_MAX DAYS to 10) 
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8. Take a backup as root of /etc/shadow. Use vi to copy an encrypted hunter2 hash from 
venus to serena. Can serena now log on with hunter2 as a password ? 


wes. 


9. Why use vipw instead of vi ? What could be the problem when using vi or vim ? 


vipw will give a warning when someone else is already using that file (with vipw). 


10. Use chsh to list all shells (only works on RHEL/CentOS/Fedora), and compare to cat / 
etc/shells. 


Chichi 
cat /etc/shells 


11. Which useradd option allows you to name a home directory ? 
-d 


12. How can you see whether the password of user serena is locked or unlocked ? Give a 
solution with grep and a solution with passwd. 


grep serena /etc/shadow 


passwd -S serena 
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Logged on users have a number of preset (and customized) aliases, variables, and functions, 
but where do they come from ? The shell uses a number of startup files that are executed 


(or rather sourced) whenever the shell is invoked. What follows is an overview of startup 
scripts. 
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4.1. system profile 


Both the bash and the ksh shell will verify the existence of /etc/profile and source it if it 
exists. 


When reading this script, you will notice (both on Debian and on Red Hat Enterprise Linux) 
that it builds the PATH environment variable (among others). The script might also change 
the PS1 variable, set the HOSTNAME and execute even more scripts like /etc/inputre 


This screenshot uses grep to show PATH manipulation in /etc/profile on Debian. 


root@debian7:~# grep PATH /etc/profile 
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 
PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games" 

export PATH 

root @debian7:~# 


This screenshot uses grep to show PATH manipulation in /etc/profile on RHEL7/CentOS7. 


[root@centos7 ~]# grep PATH /etc/profile 
case ":S{PATH}:" in 
PATH=SPATH:S1 
PATH=$1:S$PATH 
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL 
[root@centos7 ~]# 


The root user can use this script to set aliases, functions, and variables for every user on 
the system. 


4.2. ~/.bash_profile 


When this file exists in the home directory, then bash will source it. On Debian Linux 5/6/7 
this file does not exist by default. 


RHEL7/CentOS7 uses a small ~/.bash_profile where it checks for the existence of 
~/.bashre and then sources it. It also adds $HOME/bin to the $PATH variable. 


[root@rhel7 ~]# cat /home/paul/.bash_profile 
# .bash_profile 


# Get the aliases and functions 
if [ -f ~/.bashre ]; then 
. ~/.bashre 
fi 
# User specific environment and startup programs 


PATH=$PATH: SHOME/.local/bin: SHOME/bin 


export PATH 
[root@rhel7 ~]# 
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4.3. ~/.bash_login 


When .bash_profile does not exist, then bash will check for ~/.bash_login and source it. 


Neither Debian nor Red Hat have this file by default. 


4.4. ~/.profile 


When neither ~/.bash_profile and ~/.bash_login exist, then bash will verify the existence 
of ~/.profile and execute it. This file does not exist by default on Red Hat. 


On Debian this script can execute ~/.bashre and will add $HOME/bin to the $PATH 
variable. 


root@debian7:~# tail -11 /home/paul/.profile 


if [ -n "SBASH_ VERSION" ]; then 
# include .bashrce if it exists 
if [ -f "SHOME/.bashrec" J]; then 


"SHOME/.bashrc" 
£1 
£1 


# set PATH so it includes user's private bin if it exists 
fkae (| el WiSisteuonyoplin i) fp qelavevol 


PATH="S$HOME/bin:$PATH" 
heal 


RHEL/CentOS does not have this file by default. 


4.5. ~/.bashre 


The ~/.bashre script is often sourced by other scripts. Let us take a look at what it does 
by default. 


Red Hat uses a very simple ~/.bashre, checking for /etc/bashre and sourcing it. It also leaves 
room for custom aliases and functions. 


[root@rhel7 ~]# cat /home/paul/ .bashrec 
# .bashre 


# Source global definitions 

if [ -f /etc/bashre ]; then 
. /etc/bashre 

ites 


# Uncomment the following line if you don't like systemctl's auto-paging feature: 
# export SYSTEMD_PAGER= 


# User specific aliases and functions 


On Debian this script is quite a bit longer and configures $PS1, some history variables and 
a number af active and inactive aliases. 


root@debian7:~# wc -l1 /home/paul/.bashre 
110 /home/paul/.bashre 
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4.6. ~/.bash_logout 


When exiting bash, it can execute ~/.bash_logout. 


Debian use this opportunity to clear the console screen. 


serena@deb503:~$ cat .bash_logout 
# ~/.bash_logout: executed by bash(1) when login shell exits. 


# when leaving the console clear the screen to increase privacy 
if [ "SSHLVL" = 1 J]; then 


[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q 
fi 


Red Hat Enterprise Linux 5 will simple call the /usr/bin/clear command in this script. 


[serena@rhel53 ~]$ cat .bash_logout 
# ~/.bash_logout 


/usr/bin/clear 


Red Hat Enterprise Linux 6 and 7 create this file, but leave it empty (except for a comment). 


paul@rhel65:~$ cat .bash_logout 
# ~/.bash_logout 
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4.7. Debian overview 


Below is a table overview of when Debian is running any of these bash startup scripts. 


Table 4.1. Debian User Environment 


[script su su - ssh gdm 
~./bashre no yes yes yes 
~/ profile no yes yes yes 
/etc/profile no yes yes yes 
| /etc/bash.bashre yes no no yes 


4.8. RHEL5 overview 


Below is a table overview of when Red Hat Enterprise Linux 5 is running any of these bash 
startup scripts. 


Table 4.2. Red Hat User Environment 


script su su - ssh gdm 
~./bashre yes yes yes yes 
~/.bash_profile no yes yes yes 
/etc/profile no yes yes yes 
/etc/bashre yes yes yes yes 
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4.9. practice: user profiles 


1. Make a list of all the profile files on your system. 

2. Read the contents of each of these, often they source extra scripts. 

3. Put a unique variable, alias and function in each of those files. 

4. Try several different ways to obtain a shell (su, su -, ssh, tmux, gnome-terminal, Ctrl- 
alt-Fl, ...) and verify which of your custom variables, aliases and function are present in 
your environment. 


5. Do you also know the order in which they are executed? 


6. When an application depends on a setting in $HOME/.profile, does it matter whether 
$HOME/.bash_profile exists or not ? 
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4.10. solution: user profiles 


1. Make a list of all the profile files on your system. 


si -a ~ ; Us —1 /ete/pro* /etc/bash* 
2. Read the contents of each of these, often they source extra scripts. 
3. Put a unique variable, alias and function in each of those files. 


4. Try several different ways to obtain a shell (su, su -, ssh, tmux, gnome-terminal, Ctrl- 
alt-Fl, ...) and verify which of your custom variables, aliases and function are present in 
your environment. 


5. Do you also know the order in which they are executed? 
same name aliases, functions and variables will overwrite each other 


6. When an application depends on a setting in $HOME/.profile, does it matter whether 
$HOME/.bash_profile exists or not ? 


Yes it does matter. (man bash /INVOCATION) 
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Users can be listed in groups. Groups allow you to set permissions on the group level instead 
of having to set permissions for every individual user. 


Every Unix or Linux distribution will have a graphical tool to manage groups. Novice users 
are advised to use this graphical tool. More experienced users can use command line tools to 
manage users, but be careful: Some distributions do not allow the mixed use of GUI and CLI 
tools to manage groups (YaST in Novell Suse). Senior administrators can edit the relevant 
files directly with vi or vigr. 
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5.1. groupadd 


Groups can be created with the groupadd command. The example below shows the creation 
of five (empty) groups. 


root@laika:~# groupadd tennis 
root@laika:~# groupadd football 
root@laika:~# groupadd snooker 
root@laika:~# groupadd formulal 
root@laika:~# groupadd salsa 


5.2. group file 


Users can be a member of several groups. Group membership is defined by the /ete/group 
file. 


root@laika:~# tail -5 /etc/group 
tennis:x:1006: 

fooeball-sd 007: 

snooker:x:1008: 

PommuULL ade HOlOI9 

salsa:x:1010: 

root@laika:~# 


The first field is the group's name. The second field is the group's (encrypted) password (can 
be empty). The third field is the group identification or GID. The fourth field is the list of 
members, these groups have no members. 


5.3. groups 


A user can type the groups command to see a list of groups where the user belongs to. 


[harry@RHEL4b ~]$ groups 
harry sports 
[harry@RHEL4b ~]$ 
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5.4. usermod 


Group membership can be modified with the useradd or usermod command. 


root@laika:~# usermod -a -G tennis inge 
root@laika:~# usermod -a -G tennis katrien 
root@laika:~# usermod -a -G salsa katrien 
root@laika:~# usermod -a -G snooker sandra 
root@laika:~# usermod -a -G formulal annelies 
root@laika:~# tail -5 /etc/group 
tennis:x:1006:inge, katrien 
football x 7007: 

snooker:x:1008:sandra 
formulal:x:1009:annelies 
salsa:x:1010:katrien 

root@laika:~# 


Be careful when using usermod to add users to groups. By default, the usermod command 
will remove the user from every group of which he is a member if the group is not listed in 
the command! Using the -a (append) switch prevents this behaviour. 


5.5. groupmod 


You can change the group name with the groupmod command. 


root@laika:~# groupmod -n darts snooker 
root@laika:~# tail -5 /etc/group 
tennis:x:1006:inge, katrien 
football lsx 1007: 
formulal:x:1009:annelies 
salsa:x:1010:katrien 
darts:x:1008:sandra 


5.6. groupdel 


You can permanently remove a group with the groupdel command. 


root@laika:~# groupdel tennis 
root@laika:~# 


38 


groups 


5.7. gpasswd 


You can delegate control of group membership to another user with the gpasswd command. 
In the example below we delegate permissions to add and remove group members to serena 
for the sports group. Then we su to serena and add harry to the sports group. 


root@RHEL4b ~]# gpasswd -A serena sports 
root@RHEL4b ~]# su - serena 

serena@RHEL4b ~]$ id harry 

uid=516 (harry) gid=520 (harry) groups=520 (harry) 
serena@RHEL4b ~]$ gpasswd -a harry sports 
Adding user harry to group sports 
serena@RHEL4b ~]$ id harry 

uid=516 (harry) gid=520 (harry) groups=520 (harry) ,522 (sports) 
serena@RHEL4b ~]$ tail -1 /etc/group 
sports:x:522:serena, venus, harry 

EL4b ~]$ 


serena@RH 


Group administrators do not have to be a member of the group. They can remove themselves 
from a group, but this does not influence their ability to add or remove members. 


[serena@RHEL4b ~]$ gpasswd -d serena sports 


Removing user serena from group sports 
[serena@RHEL4b ~]$ exit 


Information about group administrators is kept in the /ete/gshadow file. 
[root@RHEL4b ~]# tail -1 /etc/gshadow 


sports: !:serena:venus, harry 
[root@RHEL4b ~]# 


To remove all group administrators from a group, use the gpasswd command to set an empty 
administrators list. 


[root@RHEL4b ~]# gpasswd -A "" sports 
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5.8. newgrp 


You can start a child shell with a new temporary primary group using the newgrp 
command. 


root@rhel65:~# mkdir prigroup 
root@rhel65:~# cd prigroup/ 
root@rhel65:~/prigroup# touch standard.txt 
root@rhel65:~/prigroup# ls -1 

total 0 
Sla\iyie————, 1 ions ieee OW Ajoxe 15) Ilyas) Ge enololelietel (e><e 
root@rhel65:~/prigroup# echo $SHLVL 
il 
root@rhel65:~/prigroup# newgrp tennis 
root@rhel65:~/prigroup# echo $SHLVL 
2 
root@rhel65:~/prigroup# touch newgrp.txt 
root@rhel65:~/prigroup# ls -1 


total 0 

=EW=G-—-E—=—., J root tennis 0 Apr 13) 17749 neworp. ext 
ice, iL iaeyeye  1e(eYeje © Ape 13 17:49 standard. txt 
root@rhel65:~/prigroup# exit 

exit 


root@rhel65:~/prigroup# 


5.9. vigr 


Similar to vipw, the vigr command can be used to manually edit the /ete/group file, since 
it will do proper locking of the file. Only experienced senior administrators should use vi 
or vigr to manage groups. 
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5.10. practice: groups 


1. Create the groups tennis, football and sports. 

2. In one command, make venus a member of tennis and sports. 

3. Rename the football group to foot. 

4. Use vi to add serena to the tennis group. 

5. Use the id command to verify that serena is a member of tennis. 


6. Make someone responsible for managing group membership of foot and sports. Test that 
it works. 
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5.11. solution: groups 


1. Create the groups tennis, football and sports. 


groupadd tennis ; groupadd football ; groupadd sports 


2. In one command, make venus a member of tennis and sports. 


usermod -a -G tennis,sports venus 


3. Rename the football group to foot. 


groupmod -n foot football 

4. Use vi to add serena to the tennis group. 

vi /etc/group 

5. Use the id command to verify that serena is a member of tennis. 


id (and after logoff logon serena should be member) 


6. Make someone responsible for managing group membership of foot and sports. Test that 
it works. 


gpasswd -A (to make manager) 


gpasswd -a (to add member) 
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Chapter 6. standard file permissions 


This chapter contains details about basic file security through file ownership and file 
permissions. 
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6.1. file ownership 


6.1.1. user owner and group owner 


The users and groups of a system can be locally managed in /etc/passwd and /etc/group, 
or they can be in a NIS, LDAP, or Samba domain. These users and groups can own files. 
Actually, every file has a user owner and a group owner, as can be seen in the following 


screenshot. 


paul@rhel65: 
total 636K 

Fine == 5 
Hae =e 
Iie =e 
Iie 
paul@rhel65: 


~/owners$ 1s -lh 


1 paul snooker 1.1K Apr 8 18: 
1 paul paul GA Noe 13) ILis)& 
1 root tennis 185 Apr “8 asic 
dl ie yous 1a(eXee @ were 8) ILG}8 
~/owners$ 
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data.odt 
fale 
file2 
Stu i ect 


User paul owns three files; file] has paul as user owner and has the group paul as group 
owner, data.odt is group owned by the group snooker, file2 by the group tennis. 


The last file is called stuff.txt and is owned by the root user and the root group. 


6.1.2. listing user accounts 


You can use the following command to list all local user accounts. 


paul@debian7~$ cut -d: 


LOOE 
daemon 
bin 

sys 
sync 
games 
man 

1p 

mail 
news 
uucp 
proxy 
www-data 
backup 
Site 
ulraye! 
gnats 
nobody 
libuuid 
Debian-exim 
statd 
sshd 


ntp 
mysql 
paul 
maarten 
kevin 
yuri 
william 
yves 
kris 
hamid 
vladimir 
abiy 
david 
chahid 
stef 
joeri 
glenn 
yannick 
christof 
george 
joost 
arno 


sam 
tom 
wouter 
robrecht 
bilal 
Gamat ra: 
ahmed 
dylan 
robin 
matthias 
ben 

mike 
kevin2 
kenzo 
aaron 
lorenzo 
jens 
ruben 
jelle 
stefaan 
marc 
thomas 


-f1 /etc/passwd | column 


bert 
rino 
antonio 
simon 
sven 
wouter2 
tarik 
jan 

ian 
ivan 
azeddine 
eric 
kamel 
ischa 
bart 
omer 
kurt 
steve 
constantin 
sam2 
bjorn 
ronald 


naomi 
matthias2 
bram 
fabrice 
chimene 
messagebus 
roger 
frank 
toon 
rinus 
eddy 
bram2 
keith 
jesse 
frederick 
hans 
dries 
steve2 
tomas 
johan 
tom2 
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6. 


1.3. chgrp 


You can change the group owner of a file using the chgrp command. 


root@rhel65:/home/paul/owners# ls -l file2 
iaViie——ie——, IL Aetoyone “etSioiaie’ its) pNowe ts) asso Geshe) 
root@rhel65:/home/paul/owners# chgrp snooker file2 
root@rhel65:/home/paul/owners# ls -l file2 
-rw-r--r--. 1 root snooker 185 Apr 8 18:46 file2 
root@rhel65:/home/paul/owners# 


1.4. chown 


The user owner of a file can be changed with chown command. 


root@laika:/home/paul# 1s -1l FileForPaul 

—EW= boa ROO paul OF A008 0S —O6n 14) Isl alk ohorrausdl 
root@laika:/home/paul# chown paul FileForPaul 
root@laika:/home/paul# ls -1l FileForPaul 

=Ew—E——e—— 1 pawl pauls 0) 2008-08-06 4 baler orrauul 


You can also use chown to change both the user owner and the group owner. 


root@laika:/home/paul# 1s -1l FileForPaul 

-rw-r--r-- 1 paul paul 0 2008-08-06 14:11 FileForPaul 
root@laika:/home/paul# chown root:project42 FileForPaul 
root@laika:/home/paul# 1s -1l FileForPaul 

=—BW-o-—b—— i POOte pROVece4e WON Z 00S 00-06. I4ed hake hormb aul 
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6.2. list of special files 


When you use Is -l, for each file you can see ten characters before the user and group owner. 
The first character tells us the type of file. Regular files get a -, directories get a d, symbolic 
links are shown with an I, pipes get a p, character devices a c, block devices a b, and sockets 
an Ss. 


Table 6.1. Unix special files 


first character file type 
- normal file 
d directory 
] symbolic link 
p named pipe 
b block device 
c character device 
S socket 


Below a screenshot of a character device (the console) and a block device (the hard disk). 


paul@debian6lt~$ 1s -ld /dev/console /dev/sda 
crw------- 1 root root 5, 1 Mar 15 12:45 /dev/console 
brw-rw---- 1 root disk 8, 0 Mar 15 12:45 /dev/sda 


And here you can see a directory, a regular file and a symbolic link. 


paul@debian6lt~$ 1s -ld /etc /etc/hosts /etc/motd 

drwxr-xr-x 128 root root 12288 Mar 15 18:34 /etc 

-rw-r--r-- il sexeyohe ieXexoue 372 Dec 10 17:36 /etc/hosts 

lrwxrwxrwx 1 root root PSE Deco HOG /ete/moeds —— var runny mot 
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6.3. permissions 
6.3.1. rwx 


The nine characters following the file type denote the permissions in three triplets. A 
permission can be r for read access, w for write access, and x for execute. You need the r 
permission to list (1s) the contents of a directory. You need the x permission to enter (cd) a 
directory. You need the w permission to create files in or remove files from a directory. 


Table 6.2. standard Unix file permissions 


permission on a file on a directory 
r (read) read file contents (cat) read directory contents (Is) 
w (write) change file contents (vi) create files in (touch) 

x (execute) execute the file enter the directory (cd) 


6.3.2. three sets of rwx 


We already know that the output of Is -I starts with ten characters for each file. This 
screenshot shows a regular file (because the first character is a - ). 


paul@RHELv4u4:~/test$ 1s -l proc42.bash 
—-rwxr-xr-- 1 paul proj 984 Feb 6 12:01 proc42.bash 


Below is a table describing the function of all ten characters. 


Table 6.3. Unix file permissions position 


position characters function 
1 - this is a regular file 
2-4 rwx permissions for the user owner 
| 5-7 I-X permissions for the group owner 
| 8-10 I-- permissions for others 


When you are the user owner of a file, then the user owner permissions apply to you. The 
rest of the permissions have no influence on your access to the file. 


When you belong to the group that is the group owner of a file, then the group owner 
permissions apply to you. The rest of the permissions have no influence on your access to 
the file. 


When you are not the user owner of a file and you do not belong to the group owner, then 
the others permissions apply to you. The rest of the permissions have no influence on your 
access to the file. 
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6.3.3. permission examples 


Some example combinations on files and directories are seen in this screenshot. The name 
of the file explains the permissions. 


paul@laika:~/perms$ 1s -lh 


total 12k 
drwxr-xr-x 
—rwxrwxrwXx 
eee ee 
—rwxrwx--— 
cig tig 
CUBS ee Z 


NRPRPER DN 


paul 
paul 
paul 
paul 
paul 
paul 


paul 
paul 
paul 
paul 
paul 
paul 


paul@laika:~/perms$ 


A007 =02 07 
2007-02-07 
2007-02-07 
2007-02-07 
2007-02-07 
2007-02-07 


PORE 
Zoe 
Zoe 
ERED E 
Dione 
Bee 


26 
Zell 
eal 
al 
29) 
25 


AllEnter_UserCreateDelete 
EveryoneFullControl.txt 
OnlyOwnersRead.txt 
OwnersAll_RestNothing.txt 
UserAndGroupEnter 
OnlyUserEnter 


To summarise, the first rwx triplet represents the permissions for the user owner. The 
second triplet corresponds to the group owner; it specifies permissions for all members 
of that group. The third triplet defines permissions for all other users that are not the user 
owner and are not a member of the group owner. 
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6.3.4. setting permissions (chmod) 


Permissions can be changed with chmod. The first example gives the user owner execute 
permissions. 


paul@laika:~/perms$ 1s -l permissions.txt 

=—Ww—e——e—— epawl pauls 0 2007-02-07 27:34 spermassisnonsjtoce 
paul@laika:~/perms$ chmod u+x permissions.txt 
paul@laika:~/perms$ 1s -l permissions.txt 

=nwxe——r—— i paul) paul 0) 2007-02-07 22734 permisisions.txt 


This example removes the group owners read permission. 
paul@laika:~/perms$ chmod g-r permissions.txt 


paul@laika:~/perms$ 1s -l permissions.txt 
SO OLE pau Oe A010 02-07 87,7; 4m pommtsisntOn strode 


This example removes the others read permission. 
paul@laika:~/perms$ chmod o-r permissions.txt 


paul@laika:~/perms$ 1s -l permissions.txt 
Si 1 paul paul 0 2007-02-07 22:34 permissions.txt 


This example gives all of them the write permission. 
paul@laika:~/perms$ chmod atw permissions.txt 


paul@laika:~/perms$ 1s -l permissions.txt 
—rwx-w--w- 1 paul paul 0 2007-02-07 22:34 permissions.txt 


You don't even have to type the a. 
paul@laika:~/perms$ chmod +x permissions.txt 


paul@laika:~/perms$ 1s -l permissions.txt 
—-rwx-wx-wx 1 paul paul 0 2007-02-07 22:34 permissions.txt 


You can also set explicit permissions. 
paul@laika:~/perms$ chmod u=rw permissions.txt 


paul@laika:~/perms$ 1s -1l permissions.txt 
—rw--wx-wx 1 paul paul 0 2007-02-07 22:34 permissions.txt 


Feel free to make any kind of combination. 
paul@laika:~/perms$ chmod u=rw, g=rw,o=r permissions.txt 


paul@laika:~/perms$ 1s -l permissions.txt 
=Lw=tw-r=— i paul paul 0 2007=02-07 22:34 permissions txt 


Even fishy combinations are accepted by chmod. 
paul@laika:~/perms$ chmod u=rwx,ugt+rw,o=r permissions.txt 


paul@laika:~/perms$ 1s -l permissions.txt 
-rwxrw-r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt 
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6.3.5. setting octal permissions 


Most Unix administrators will use the old school octal system to talk about and set 
permissions. Look at the triplet bitwise, equating r to 4, w to 2, and x to 1. 


Table 6.4. Octal permissions 


binary octal permission 
000 0 --- 
001 1 --X 
010 2 -w- 
O11 3 -WX 
100 4 r-- 
101 3 1-x 
| 110 6 rw- 
| 111 7 rwx 


This makes 777 equal to rwxrwxrwx and by the same logic, 654 mean rw-r-xr-- . The chmod 
command will accept these numbers. 


paul@laika:~/perms$ chmod 777 permissions.txt 
paul@laika:~/perms$ 1s -l permissions.txt 

—-rwxrwxrwx 1 paul paul 0 2007-02-07 22:34 permissions.txt 
paul@laika:~/perms$ chmod 664 permissions.txt 
paul@laika:~/perms$ 1s -l permissions.txt 

SEW ew—e—— I pawl pauls 0 2007-02-07 2234 permasismonis). tock 
paul@laika:~/perms$ chmod 750 permissions.txt 
paul@laika:~/perms$ 1s -l permissions.txt 

=nwxr—x——— i paul) paul 0 2007-02-07 227334 permissions. txt 
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6.3.6. umask 


When creating a file or directory, a set of default permissions are applied. These default 
permissions are determined by the umask. The umask specifies permissions that you do 
not want set on by default. You can display the umask with the umask command. 


[Harry@RHEL4b ~]$ umask 
0002 
[Harry@RHEL4b ~]$ touch test 

[Harry@RHEL4b ~]$ ls -l test 

-rw-rw-r-- 1 Harry Harry 0 Jul 24 06:03 test 
[Harry@RHEL4b ~]$ 


As you can also see, the file is also not executable by default. This is a general security 
feature among Unixes; newly created files are never executable by default. You have to 
explicitly do a chmod +x to make a file executable. This also means that the | bit in the 
umask has no meaning--a umask of 0022 is the same as 0033. 


6.3.7. mkdir -m 


When creating directories with mkdir you can use the -m option to set the mode. This 
screenshot explains. 


paul@debian5~$ mkdir -m 700 MyDir 

paul@debian5~$ mkdir -m 777 Public 

paul@debian5~S 1s -dl MyDir/ Public/ 

Chap 2 paul paul 4096 2011-10-16 19:16 MyDir/ 
drwxrwxrwx 2 paul paul 4096 2011-10-16 19:16 Public/ 


6.3.8. Cp -p 


To preserve permissions and time stamps from source files, use cp -p. 


paul@laika:~/perms$ cp file* cp 
paul@laika:~/perms$ cp -p file* cpp 
paul@laika:~/perms$ 11 * 


Sp ——— 1 paul paul 0 2008=08=25 13:26 f£ile33 
aEwxeE—x———) ih paul paws: 0 2008-08-25 13:26 file42 
eps 

jee (0) 

Sipe 1 paul paul O 2008-08-25 13:34 file33 
=EwxE—xX——— I epawl pauly OT Z008-—08—25, 1334. flea? 
Cppe 

total 0 

i ——— 1 paul paul O 2008-08-25 13:26 file33 
ape —< = IE jeyeb lh joven 10) AOS Wiss 2s) Ise AG. ae absevl 
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6.4. practice: standard file permissions 


1. As normal user, create a directory ~/permissions. Create a file owned by yourself in there. 
2. Copy a file owned by root from /etc/ to your permissions dir, who owns this file now ? 
3. As root, create a file in the users ~/permissions directory. 

4. As normal user, look at who owns this file created by root. 

5. Change the ownership of all files in ~/permissions to yourself. 

6. Make sure you have all rights to these files, and others can only read. 

7. With chmod, is 770 the same as rwxrwx--- ? 

8. With chmod, is 664 the same as r-xr-xr-- ? 

9. With chmod, is 400 the same as r-------- ? 

10. With chmod, is 734 the same as rwxr-xr-- ? 

11a. Display the umask in octal and in symbolic form. 

11b. Set the umask to 077, but use the symbolic format to set it. Verify that this works. 


12. Create a file as root, give only read to others. Can a normal user read this file ? Test 
writing to this file with vi. 


13a. Create a file as normal user, give only read to others. Can another normal user read this 
file ? Test writing to this file with vi. 


13b. Can root read this file ? Can root write to this file with vi ? 


14. Create a directory that belongs to a group, where every member of that group can read 
and write to files, and create files. Make sure that people can only delete their own files. 
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6.5. solution: standard file permissions 


1. As normal user, create a directory ~/permissions. Create a file owned by yourself in there. 


mkdir ~/permissions ; touch ~/permissions/myfile.txt 


2. Copy a file owned by root from /etc/ to your permissions dir, who owns this file now ? 


cp /etc/hosts ~/permissions/ 
The copy is owned by you. 


3. As root, create a file in the users ~/permissions directory. 


(become root) # touch /home/username/permissions/rootfile 


4. As normal user, look at who owns this file created by root. 


ls -l ~/permissions 
The file created by root is owned by root. 


5. Change the ownership of all files in ~/permissions to yourself. 


chown user ~/permissions/* 
You cannot become owner of the file that belongs to root. 


6. Make sure you have all rights to these files, and others can only read. 
chmod 644 (on files) 


chmod 755 (on directories) 

7. With chmod, is 770 the same as rwxrwx--- ? 
yes 

8. With chmod, is 664 the same as r-xr-xr-- ? 
No 

9. With chmod, is 400 the same as r-------- ? 
yes 

10. With chmod, is 734 the same as rwxr-xr-- ? 
no 


11a. Display the umask in octal and in symbolic form. 


umask ; umask -S 


11b. Set the umask to 077, but use the symbolic format to set it. Verify that this works. 


umask -S u=rwx, go= 


33 


standard file permissions 


12. Create a file as root, give only read to others. Can a normal user read this file ? Test 
writing to this file with vi. 


(become root) 

# echo hello > /home/username/root.txt 
# chmod 744 /home/username/root .txt 
(become user) 


Wile '~/ HOO sete 


13a. Create a file as normal user, give only read to others. Can another normal user read this 
file ? Test writing to this file with vi. 


echo hello > file ; chmod 744 file 
Yes, others can read this file 

13b. Can root read this file ? Can root write to this file with vi ? 

Yes, root can read and write to this file. Permissions do not apply to root. 


14. Create a directory that belongs to a group, where every member of that group can read 
and write to files, and create files. Make sure that people can only delete their own files. 


mkdir /home/project42 ; groupadd project42 


chgrp project42 /home/project42 ; chmod 775 /home/project42 


You can not yet do the last part of this exercise... 
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advanced file permissions 


7.1. sticky bit on directory 


You can set the sticky bit on a directory to prevent users from removing files that they do 
not own as a user owner. The sticky bit is displayed at the same location as the x permission 
for others. The sticky bit is represented by a t (meaning x is also there) or a T (when there 
is no x for others). 


root@RHELv4u4:~# mkdir /project55 

root@RHELv4u4:~# ls -ld /project55 

drwxr-xr-x 2 root root 4096 Feb 7 17:38 /project55 
root@RHELv4u4:~# chmod +t /project55/ 
root@RHELv4u4:~# ls -ld /project55 

drwxr-xr-t 2 root root 4096 Feb 7 17:38 /project55 
root @RHELvV4u4: ~# 


The sticky bit can also be set with octal permissions, it is binary 1 in the first of four triplets. 


root@RHELv4u4:~# chmod 1775 /project55/ 
root@RHELv4u4:~# ls -ld /project55 

drwxrwxr-t 2 root root 4096 Feb 7 17:38 /project55 
root @RHELv4u4: ~# 


You will typically find the sticky bit on the /tmp directory. 


root@barry:~# ls -ld /tmp 
drwxrwxrwt 6 root root 4096 2009-06-04 19:02 /tmp 


7.2. setgid bit on directory 


setgid can be used on directories to make sure that all files inside the directory are owned 
by the group owner of the directory. The setgid bit is displayed at the same location as the x 
permission for group owner. The setgid bit is represented by an s (meaning x is also there) 
or a S (when there is no x for the group owner). As this example shows, even though root 
does not belong to the group proj55, the files created by root in /project55 will belong to 
proj55 since the setgid is set. 


root @RHELv4u4:~# groupadd proj55 

root@RHELv4u4:~# chown root:proj55 /project55/ 
root@RHELv4u4:~# chmod 2775 /project55/ 

root @RHELv4u4:~# touch /project55/fromroot.txt 
root@RHELv4u4:~# ls -ld /project55/ 

drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/ 
root@RHELv4u4:~# ls -1l /project55/ 

total 4 

Ewer ob Ih roOot, proyoo 0) Heb) 7 7 s45. fromnmoor..txe 
root @RHELv4u4: ~# 


You can use the find command to find all setgid directories. 


paul@laika:~$ find / -type d -perm -2000 2> /dev/null 
/var/log/mysql 

/var/log/news 

/var/local 
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7.3. setgid and setuid on regular files 


These two permissions cause an executable file to be executed with the permissions of the 
file owner instead of the executing owner. This means that if any user executes a program 
that belongs to the root user, and the setuid bit is set on that program, then the program 
runs as root. This can be dangerous, but sometimes this is good for security. 


Take the example of passwords; they are stored in /etc/shadow which is only readable by 
root. (The root user never needs permissions anyway.) 


root @RHELv4u4:~# ls -1 /etc/shadow 
-r-------- 1 root root 1260 Jan 21 07:49 /etc/shadow 


Changing your password requires an update of this file, so how can normal non-root users 
do this? Let's take a look at the permissions on the /usr/bin/passwd. 


root@RHELv4u4:~# ls -1 /usr/bin/passwd 
=r—-s——-x—--x 1 root root 21200 Jun 17 2005 /usr/bin/passwd 


When running the passwd program, you are executing it with root credentials. 


You can use the find command to find all setuid programs. 


paul@laika:~$ find /usr/bin -type f -perm -04000 
/usr/bin/arping 

/usr/bin/kgrantpty 

/usr/bin/newgrp 

/usr/bin/chfn 

/usr/bin/sudo 

/usr/bin/fping6 

/usr/bin/passwd 

/usr/bin/gpasswd 


In most cases, setting the setuid bit on executables is sufficient. Setting the setgid bit will 
result in these programs to run with the credentials of their group owner. 


7.4. setuid on sudo 


The sudo binary has the setuid bit set, so any user can run it with the effective userid of root. 
paul@rhel65:~$ 1s -1 $(which sudo) 


=——S>— x xl nOote root 23832 Oct 7) 20s /msr/ban/sudo 
paul@rhel65:~$ 
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7.5. practice: sticky, setuid and setgid bits 


la. Set up a directory, owned by the group sports. 

1b. Members of the sports group should be able to create files in this directory. 
1c. All files created in this directory should be group-owned by the sports group. 
1d. Users should be able to delete only their own user-owned files. 

le. Test that this works! 


2. Verify the permissions on /usr/bin/passwd. Remove the setuid, then try changing your 
password as a normal user. Reset the permissions back and try again. 


3. If time permits (or if you are waiting for other students to finish this practice), read about 
file attributes in the man page of chattr and Isattr. Try setting the i attribute on a file and 
test that it works. 
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7.6. solution: sticky, setuid and setgid bits 


la. Set up a directory, owned by the group sports. 
groupadd sports 
mkdir /home/sports 


chown root:sports /home/sports 


1b. Members of the sports group should be able to create files in this directory. 


chmod 770 /home/sports 


Ic. All files created in this directory should be group-owned by the sports group. 


chmod 2770 /home/sports 


1d. Users should be able to delete only their own user-owned files. 


chmod +t /home/sports 
le. Test that this works! 


Log in with different users (group members and others and root), create files and watch the 
permissions. Try changing and deleting files... 


2. Verify the permissions on /usr/bin/passwd. Remove the setuid, then try changing your 
password as a normal user. Reset the permissions back and try again. 


root@deb503:~# 1s -1 /usr/bin/passwd 

—-rwsr-xr-x 1 root root 31704 2009-11-14 15:41 /usr/bin/passwd 
root@deb503:~# chmod 755 /usr/bin/passwd 

root@deb503:~# 1s -1 /usr/bin/passwd 

-rwxr-xr-x 1 root root 31704 2009-11-14 15:41 /usr/bin/passwd 


A normal user cannot change password now. 


root@deb503:~# chmod 4755 /usr/bin/passwd 
root@deb503:~# 1s -1 /usr/bin/passwd 
=rwsr—-xr—-x 1 root root 31704 2009-11-14 15:41 /usr/bin/passwd 


3. If time permits (or if you are waiting for other students to finish this practice), read about 
file attributes in the man page of chattr and Isattr. Try setting the i attribute on a file and 
test that it works. 


paul@laika:~$ sudo su - 

[sudo] password for paul: 
root@laika:~# mkdir attr 
root@laika:~# cd attr/ 
root@laika:~/attr# touch file42 
root@laika:~/attr# lsattr 

./file42 
root@laika:~/attr# chattr +i file42 
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root@laika: 
----ji Si 
root@laika: 


rm: cannot 


root@laika: 
root@laika: 
root@laika: 


~/attr# lsattr 


aa = ee -/file42 
~/attr# rm -rf file42 
remove ~file42': Operation not permitted 


~/attr# chattr -i file42 
~/attr# rm -rf file42 
~/attr# 


62 


Chapter 8. access control lists 


Standard Unix permissions might not be enough for some organisations. This chapter 
introduces access control lists or acl's to further protect files and directories. 
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8.1. acl in /etc/fstab 


File systems that support access control lists, or acls, have to be mounted with the acl 
option listed in /etc/fstab. In the example below, you can see that the root file system has 
acl support, whereas /home/data does not. 


root@laika:~# tail -4 /etc/fstab 


/dev/sdal i ext3 acl, relatime al 
/dev/sdb2 /home/data auto noacl,defaults 0 0 
pasha: /home/r /home/pasha nfs defaults 0 O 
wolf:/srv/data /hnome/wolf nfs defaults 0 O 


8.2. getfacl 


Reading acls can be done with /usr/bin/getfacl. This screenshot shows how to read the acl 
of file33 with getfacl. 


paul@laika:~/test$ getfacl file33 
# files fidless 

# owner: paul 

# group: paul 

user: :rw- 


SaOwIOs Fie — 
mask: :rwx 
oye lavene Gre 


8.3. setfacl 


Writing or changing acls can be done with /usr/bin/setfacl. These screenshots show how 
to change the acl of file33 with setfacl. 


First we add user sandra with octal permission 7 to the acl. 


paul@laika:~/testS setfacl -m u:sandra:7 file33 


Then we add the group tennis with octal permission 6 to the acl of the same file. 


paul@laika:~/testS setfacl -m g:tennis:6 file33 


The result is visible with getfacl. 


paul@laika:~/test$ getfacl file33 
# file: file33 

# owner: paul 

# group: paul 

user: :rw- 

user:sandra:rwx 

spigtelbieye Gis —— 

group:tennis:rw- 

mask: :rwx 

@iehicke tye — 
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8.4. remove an acl entry 


The -x option of the setfacl command will remove an acl entry from the targeted file. 


paul@laika:~/test$S setfacl -m u:sandra:7 file33 
paul@laika:~/test$ getfacl file33 | grep sandra 
user: sandra: rwx 

paul@laika:~/test$S setfacl -x sandra file33 
paul@laika:~/test$ getfacl file33 | grep sandra 


Note that omitting the u or g when defining the acl for an account will default it to a user 
account. 


8.5. remove the complete acl 


The -b option of the setfacl command will remove the acl from the targeted file. 


paul@laika:~/test$ setfacl -b file33 
paul@laika:~/test$ getfacl file33 

# file: file33 

# Owner: paul 

# group: paul 

user: :rw- 

speteleieys Bie —— 

oneleveie gsi 


8.6. the acl mask 


The acl mask defines the maximum effective permissions for any entry in the acl. This 
mask is calculated every time you execute the setfacl or chmod commands. 


You can prevent the calculation by using the --no-mask switch. 


paul@laika:~/test$ setfacl no-mask -m u:sandra:7 file33 
paul@laika:~/test$ getfacl file33 

iH fiber seidles3 

# owner: paul 

# group: paul 

user: :rw- 

user:sandra:rwx #effective: rw- 

CaCO Se — 

mask: :rw- 

onelelee 3 4 
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8.7. eilciel 


Desktop users might want to use eiciel to manage acls with a graphical tool. 


‘Basic Emblems Permissions Open With Notes Access Control List 
Access Control List 


Entry Read Write Execution a 
& paul W A a 
8 sanda @ | | J 
sg paul ae @ 
Bmask wo W w 
g Other: @ : B ou 


You will need to install eiciel and nautilus-actions to have an extra tab in nautilus to 
manage acls. 


paul@laika:~$ sudo aptitude install eiciel nautilus-actions 
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An average computer using Linux has a file system with many hard links and symbolic 
links. 


To understand links in a file system, you first have to understand what an inode is. 
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9.1. inodes 


9.1.1. inode contents 


An inode is a data structure that contains metadata about a file. When the file system stores 
a new file on the hard disk, it stores not only the contents (data) of the file, but also extra 
properties like the name of the file, the creation date, its permissions, the owner of the file, 
and more. All this information (except the name of the file and the contents of the file) is 
stored in the inode of the file. 


The Is -l command will display some of the inode contents, as seen in this screenshot. 


root@rhel53 ~# 1s -ld /home/project42/ 
drwxr-xr-x 4 root pro42 4.0K Mar 27 14:29 /home/project42/ 


9.1.2. inode table 


The inode table contains all of the nodes and is created when you create the file system 
(with mkfs). You can use the df -i command to see how many inodes are used and free on 
mounted file systems. 


root@rhel53 ~# df -i 
Filesystem Inodes IUsed IFree IUse% Mounted on 
/dev/mapper/VolGroup00-LogVol100 


4947968 115326 4832642 a 
/dev/hdal 26104 45 26059 1% /boot 
tmpfs 64417 1 64416 1% /dev/shm 
/dev/sdal 262144 220 weZooosT 1% /home/project42 
/dev/sdb1 74400 5519 68881 8% /home/project33 
/dev/sdb5 0 0 0 - /home/sales 
/dev/sdb6é 100744 Ii TOOT 38 1% /home/research 


In the df -i screenshot above you can see the inode usage for several mounted file systems. 
You don't see numbers for /dev/sdb5 because it is a fat file system. 


9.1.3. inode number 


Each inode has a unique number (the inode number). You can see the inode numbers with 
the Is -li command. 


paul@RHELv4u4:~/test$ touch filel 
paul@RHELv4u4:~/test$ touch file2 
paul@RHELv4u4:~/test$ touch file3 
paul@RHELv4u4:~/test$ ls -li 


total 12 

817266 -rw-rw-r-- 1 paul paul 0 Feb 5 15:38 filel 
si 267 —ew— ewe pau paul) Ol mebs 65) al Si38) fale? 
817268 -rw-rw-r-- 1 paul paul 0 Feb 5 15:38 file3 


paul@RHELv4u4:~/test$ 


These three files were created one after the other and got three different inodes (the first 
column). All the information you see with this Is command resides in the inode, except for 
the filename (which is contained in the directory). 
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9.1.4. inode and file contents 


Let's put some data in one of the files. 


paul@RHELv4u4:~/test$ ls -li 


e@ieedL ALG 

S266) ew ewe le oad) aude NO ele 85) SeSi8 stake: 
sie 20 —rw—ewee—— (als paul paul 92) heb “5 i85i:425 fale? 
817268 -rw-rw-r-- 1 paul paul O Feb 5 15:38 file3 


paul@RHELv4u4:~/test$ cat file2 

It is winter now and it is very cold. 

We do not like the cold, we prefer hot summer nights. 
paul@RHELv4u4:~/test$ 


The data that is displayed by the cat command is not in the inode, but somewhere else on 
the disk. The inode contains a pointer to that data. 


9.2. about directories 


9.2.1. a directory is a table 


A directory is a special kind of file that contains a table which maps filenames to inodes. 
Listing our current directory with Is -ali will display the contents of the directory file. 


paul@RHELv4u4:~/test$ ls -ali 


total 32 

817262 drwxrwxr-x 2 paul paul 4096 Feb 5 15:42 
S008 Wdrwsx==—=——— 16 paul paul 4096 beb 5 15342 2. 
SLUG seis 1 paul paul O Meb 5 Fo33'8) filed 
SLAW eee 1 paul paul 92 Feb 5 15:42 file2 
SH ZA.C8. EW ew ta 1 paul paul O Peb: 5) 15338) tales 


paul@RHELv4u4:~/test$ 
9.2.2. = and an 


You can see five names, and the mapping to their five inodes. The dot . is a mapping to itself, 
and the dotdot .. is a mapping to the parent directory. The three other names are mappings 
to different inodes. 
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9.3. hard links 
9.3.1. creating hard links 


When we create a hard link to a file with In, an extra entry is added in the directory. A new 
file name is mapped to an existing inode. 


paul@RHELv4u4:~/test$ ln file2 hardlink_to_file2 
paul@RHELv4u4:~/test$ ls -li 


total 24 

SLIZ66 —=cw—Ew—~2-— 9 paul) paul O Reb 5° UsisS8 stalked 

S270! —ew-ewe—-— 7 paul paul 992) Belo 5) W542) pale? 

SIIZ208 aw ewe apa joaull 10 eb 5) S38) takes 

S270 Sew ewe ee paul paul 92 hel 5s l5c42 whandlamkntomtanle? 


paul@RHELv4u4:~/test$ 


Both files have the same inode, so they will always have the same permissions and the same 
owner. Both files will have the same content. Actually, both files are equal now, meaning 
you can safely remove the original file, the hardlinked file will remain. The inode contains 
a counter, counting the number of hard links to itself. When the counter drops to zero, then 
the inode is emptied. 


9.3.2. finding hard links 


You can use the find command to look for files with a certain inode. The screenshot below 
shows how to search for all filenames that point to inode 817270. Remember that an inode 
number is unique to its partition. 


paul@RHELv4u4:~/test$ find / -inum 817270 2> /dev/null 


/home/paul/test/file2 
/home/paul/test/hardlink_to_file2 
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9.4. symbolic links 


Symbolic links (sometimes called soft links) do not link to inodes, but create a name to 
name mapping. Symbolic links are created with In -s. As you can see below, the symbolic 


link gets an inode of its own. 


paul @RHE!I 
paul@RHELv4u4:~/test$ ls -li 
total 32 

ShyA7s —aw— Bw e——) sl paul pauell 
S20) Sew ewe a2) paul spall 
SILIMAGIS) sey —aeyj—ge— IL oye blll jeyeubiil 
sit 270" —ew— ew e—— 7. paul yoauil: 
817267 lrwxrwxrwx 1 paul paul 
paul@RHELv4u4:~/test$ 


Feb 
Feb 
Feb 
Feb 
Feb 


aunnuu 


al 


alls 


2016 
Wes 
dpoys 
:04 
Gis 


04 
38 
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Lv4u4:~/test$ ln -s file2 symlink_to_file2 


filel 

file2 

file3 

hardlink_to_file2 
symlink_to_file2 -> file2 


Permissions on a symbolic link have no meaning, since the permissions of the target apply. 
Hard links are limited to their own partition (because they point to an inode), symbolic links 
can link anywhere (other file systems, even networked). 


9.5. removing links 


Links can be removed with rm. 


touch data.txt 


paul@laika:~$ 

paul@laika:~$ ln 
paul@laika:~$ 1n 
paul@laika:~$ rm 
paul@laika:~$ rm 


-s data.txt sl_data.txt 


data.txt hl_data.txt 


sl_data.txt 
hl_data.txt 
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9.6. practice : links 


1. Create two files named winter.txt and summer.txt, put some text in them. 

2. Create a hard link to winter.txt named hlwinter.txt. 

3. Display the inode numbers of these three files, the hard links should have the same inode. 
4. Use the find command to list the two hardlinked files 

5. Everything about a file is in the inode, except two things : name them! 

6. Create a symbolic link to summer.txt called slsummer.txt. 

7. Find all files with inode number 2. What does this information tell you ? 

8. Look at the directories /etc/init.d/ /etc/rc2.d/ /etc/rc3.d/ ... do you see the links ? 

9. Look in /lib with Is -L.. 


10. Use find to look in your home directory for regular files that do not(!) have one hard link. 
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9.7. solution : links 


1. Create two files named winter.txt and summer.txt, put some text in them. 


echo cold > winter.txt ; echo hot > summer.txt 

2. Create a hard link to winter.txt named hlwinter.txt. 

ln winter.txt hlwinter.txt 

3. Display the inode numbers of these three files, the hard links should have the same inode. 
ls -li winter.txt summer.txt hlwinter.txt 

4. Use the find command to list the two hardlinked files 

find . -inum xyz #replace xyz with the inode number 

5. Everything about a file is in the inode, except two things : name them! 

The name of the file is in a directory, and the contents is somewhere on the disk. 
6. Create a symbolic link to summer.txt called slsummer.txt. 

ln -s summer.txt slsummer.txt 


7. Find all files with inode number 2. What does this information tell you ? 


It tells you there is more than one inode table (one for every formatted partition + virtual 
file systems) 


8. Look at the directories /etc/init.d/ /etc/re.d/ /etc/rc3.d/ ... do you see the links ? 
lise leyece/sunukteycl 
Hs) SL See 262! 


fly Sil /eierey/teie! 3} a6 


9. Look in /lib with Is -1... 


nls al fale) 


10. Use find to look in your home directory for regular files that do not(!) have one hard link. 


pealiavol <=; i) = iauiaes) i" —eyigexs)- 2 


73 


Part Ill. iptables firewall 


Table of Contents 


10. introduction tO rOUTETS ...........ssccrecssrcecerssseseserseseesssesssseseeseseseeseseeseessesesssecsesseseseesesessesessssessesersesersesess 76 
10.1,.router ‘or firewall 2. tecceN Rid ech eae Penn AE OS ee A her ee eae 77 
10:2; packet forwarding escsicesassssssscsashsessbssusessecesseicesvecuyesiedesiedsesssbactasesessbossegensck sgcdveesssbvceesasvssassansasseess 77 
10.32 packet Siler ps xs ciccctbieg ckcoet ies evebes iekae dee ses tineaths dodang cides ipod autpadiguasnouenievaey sens be Saeed shdusdounsancustadeaands 77 
TO As State fils ss evesceseseevesesseuss seacheswaceun Qe vuges neces vans SadeseGannke pe sewn tenbe aveve.c¥ shebee¥ upsaipa sa uenoe dapuacesoueuuentean ipoened 77 
10.5. nat (network address translation) ...........c:cccessccessscecesseceeessecesseceecseeceseaeecseeeeesseeecsesaeeseeeeeeeseeeeneaes 78 
10.6. pat<(port address tramslation). ..:s.cscssces.ecuscessesscusssacssiseschessotacsouessassossbesssnssscascsdeestpesssonsoussscnpeeovess 78 
10:7 .:snat (SOURCE Nat) -<.hsctt ake tied Ah. ce elie ade eee annulate fiiie Bteesiics iS 78 
10:8 MASQUETACINE 5255 s03 seig Seesees vetsetiss sesteds te wpestR saa cess easbber vaeis Seo apes sehbeg ag caesbiatin eskeseay aapeas uate aseatbbouees 78 
10:9: dnat (destination Nat) :.a:.ke.n. nh eek aie AAA ee AA A Ae ed 78 
10:10. port LOrwardag sesss.sscc.css5s6sSussesess steak pecbesessbedeca sesh essvenssscaptastes cous lbesionspasnpenousegessssoesessssssanbaseastsy 78 
10.11. /proc/sys/net/ipv4/ip_forward oo... eee csessecnecnseceeceseeseceseeseceseeeseaeseeseneeeaecaessaecaeesaecseesaeenees 79 
LOT2.-Jete/SYSCUL COME ses esescessssscks gd sabeesue sabe sskeh sea ys ss abbspane seesait up oh va beseay sobs soba cedea saseispasasessganes sbeaistupadenees 79 
10.13. ‘SYSCU i. cis fcteces ares heed Boetedisevectantta beans Wiebe: Baugdveds Aa cea ALS eld tes Goce dees Ang oad tabs de sete 79 
10,14. practice: packet. forwarding: ..:5:...c:.cccsscuscsigcoiessbansotidasnpsiotanssastssostspessvensivoxss soneaspessnavdotacssnabeoase 80 
10.15. solution: packet forwarding ...... eee cee eeeceeeeeeeeseeeeecaeeesecaecsaecsacsaecnecsecesceseeeaseseseeeeseeeneeags 82 

LL .iptables firewall. ..s.c.cssscscsssvasoesesocsesesonsossevocenssescenvsassccveeasoesesessasoubevesdecesonsnssessousseusecsdsusssésceasensesassaseubesees 85 
LLL iptables: tables... chs basa s saan ainsnaa tin Ah Nac tsa needs AA RA Ana 86 
11.2. starting and stopping iptables oe ee eee eseecse cee csecscsaeceaeaeceecseceesseeseeeseseaseaeseaeeseeeneeaes 86 
13s, The Titer table. tose cbeccsiesbatetecettettin hevbol sous wuacepets eats was coacesaeaeddaons puta suaebs wrebeasuae doa necarenpuaetnaneessebies 87 
114 <practice: packet: filterimg: 5255.5 .sc5sscivees sees tossing ai sade siaee saacapies obesoseacs ts cbs sesbenn apes dedstachsaaebugea cbessasdeouecs 92 
TL5.solution? packet flterin ge: asic cies hss avi ec Rata e he devees Ao letaaes ses capes Bevbaaeabuvis Sel eeteas eaves Bees 93 
11.6. network ‘address ‘translation <s..5ccc5..cisucieseseus sich scesssssctashacsoeeoica sbsoosctesssheossobessusvscnneseenseudivessbosnates 94 


75 


Chapter 10. introduction to routers 


What follows is a very brief introduction to using Linux as a router. 


introduction to routers 


10.1. router or firewall 


A router is a device that connects two networks. A firewall is a device that besides acting 
as a router, also contains (and implements) rules to determine whether packets are allowed 
to travel from one network to another. A firewall can be configured to block access based 
on networks, hosts, protocols and ports. Firewalls can also change the contents of packets 
while forwarding them. 


router or 
firewall ? 


10.2. packet forwarding 


Packet forwarding means allowing packets to go from one network to another. When a 
multihomed host is connected to two different networks, and it allows packets to travel from 
one network to another through its two network interfaces, it is said to have enabled packet 
forwarding. 


10.3. packet filtering 


Packet filtering is very similar to packet forwarding, but every packet is individually tested 
against rules that decide on allowing or dropping the packet. The rules are stored by iptables. 


10.4. stateful 


A stateful firewall is an advancement over stateless firewalls that inspect every individual 
packet. A stateful firewall will keep a table of active connections, and is knowledgeable 
enough to recognise when new connections are part of an active session. Linux iptables is 
a stateful firewall. 
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10.5. nat (network address translation) 


A nat device is a router that is also changing the source and/or target ip-address in packets. 
It is typically used to connect multiple computers in a private address range (rfc 1918) with 
the (public) internet. A nat can hide private addresses from the internet. 


It is important to understand that people and vendors do not always use the right term when 
referring to a certain type of nat. Be sure you talk about the same thing. We can distuinguish 
several types of nat. 


10.6. pat (port address translation) 


nat often includes pat. A pat device is a router that is also changing the source and/or target 
tcp/udp port in packets. pat is Cisco terminology and is used by snat, dnat, masquerading 
and port forwarding in Linux. RFC 3022 calls it NAPT and defines the nat/pat combo as 
"traditional nat". A device sold to you as a nat-device will probably do nat and pat. 


10.7. snat (Source nat) 


A snat device is changing the source ip-address when a packet passes our nat. snat 
configuration with iptables includes a fixed target source address. 


10.8. masquerading 


Masquerading is a form of snat that will hide the (private) source ip-addresses of your 
private network using a public ip-address. Masquerading is common on dynamic internet 
interfaces (broadband modem/routers). Masquerade configuration with iptables uses a 
dynamic target source address. 


10.9. dnat (destination nat) 


A dnat device is changing the destination ip-address when a packet passes our nat. 


10.10. port forwarding 


When static dnat is set up in a way that allows outside connections to enter our private 
network, then we call it port forwarding. 
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10.11. /proc/sys/net/ipv4/ip_forward 


Whether a host is forwarding packets is defined in /proc/sys/net/ipv4/ip_forward. The 
following screenshot shows how to enable packet forwarding on Linux. 


root@router~# echo 1 > /proc/sys/net/ipv4/ip_forward 


The next command shows how to disable packet forwarding. 


root@router~# echo 0 > /proc/sys/net/ipv4/ip_forward 


Use cat to check if packet forwarding is enabled. 


root@router~# cat /proc/sys/net/ipv4/ip_forward 


10.12. /etc/sysctl.conf 


By default, most Linux computers are not configured for automatic packet forwarding. 
To enable packet forwarding whenever the system starts, change the net.ipv4.ip_forward 
variable in /etc/sysctl.conf to the value 1. 


root@router~# grep ip forward /etc/sysctl.conf 
net.ipv4.ip_forward = 0 


10.13. sysctl 


For more information, take a look at the man page of sysctl. 
root@debian6~# man sysctl 


root@debian6~# sysctl -a 2>/dev/null | grep ip_forward 
net.ipv4.ip_forward = 0 
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10.14. practice: packet forwarding 


0. You have the option to select (or create) an internal network when adding a network card 
in VirtualBox or VMWare. Use this option to create two internal networks. I named them 
leftnet and rightnet, but you can choose any other name. 


=P Network 


Adapter 1: Intel PRO/1000 MT Desktop (Bridged Adapter, en1: AirPort) 
Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, ‘leftnet') 
Adapter 3: Intel PRO/1000 MT Desktop (Internal Network, 'rightnet'’) 


1. Set up two Linux machines, one on leftnet, the other on rightnet. Make sure they both 
get an ip-address in the correct subnet. These two machines will be ‘left’ and ‘right’ from 
the ‘router’. 


10.0.70.9 
Goma) WG 703) 


2. Set up a third Linux computer with three network cards, one on leftnet, the other on 
rightnet. This computer will be the 'router'. Complete the table below with the relevant 
names, ip-addresses and mac-addresses. 


Table 10.1. Packet Forwarding Exercise 


leftnet computer the router rightnet computer 


MAC 
IP 


3. How can you verify whether the router will allow packet forwarding by default or not ? 
Test that you can ping from the router to the two other machines, and from those two 
machines to the router. Use arp -a to make sure you are connected with the correct mac 
addresses. 
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4. Ping from the leftnet computer to the rightnet computer. Enable and/or disable packet 
forwarding on the router and verify what happens to the ping between the two networks. If 
you do not succeed in pinging between the two networks (on different subnets), then use a 
sniffer like wireshark or tcpdump to discover the problem. 


5. Use wireshark or tcpdump -xx to answer the following questions. Does the source MAC 
change when a packet passes through the filter ? And the destination MAC ? What about 
source and destination [P-addresses ? 


6. Remember the third network card on the router ? Connect this card to a LAN with internet 
connection. On many LAN's the command dhclient eth0 just works (replace eth0O with the 
correct interface). 


root@router~# dhclient eth0 


You now have a setup similar to this picture. What needs to be done to give internet access 
to leftnet and rightnet. 


router 
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10.15. solution: packet forwarding 


=P Network 


Adapter 1: Intel PRO/1000 MT Desktop (Bridged Adapter, en1: AirPort) 
Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, ‘leftnet') 
Adapter 3: Intel PRO/1000 MT Desktop (Internal Network, 'rightnet') 


1. Set up two Linux machines, one on leftnet, the other on rightnet. Make sure they both 
get an ip-address in the correct subnet. These two machines will be ‘left’ and 'right’ from 
the ‘router’. 


leftnet rightnet 


router 


oe ® 10.0.70.9 
10.0.60.1 


The ip configuration on your computers should be similar to the following two screenshots. 
Both machines must be in a different subnet (here 192.168.60.0/24 and 192.168.70.0/24). I 
created a little script on both machines to configure the interfaces. 


root@left~# cat leftnet.sh 
pkill dhclient 
ifconfig ethO 192.168.60.8 netmask 255.255.255.0 


root@right~# cat rightnet.sh 
pkill dhclient 
EECOnEIG ethO) 192 168.70.19 metmask, 255)..255)..255 .10 


2. Set up a third Linux computer with three network cards, one on leftnet, the other on 
rightnet. This computer will be the ‘router’. Complete the table below with the relevant 
names, ip-addresses and mac-addresses. 

root@router~# cat router.sh 

ifconfig ethl 192.168.60.1 netmask 255.255.255.0 


ifconfig eth2 192.168.70.1 netmask 255.255.255.0 
#echo 1 > /proc/sys/net/ipv4/ip_forward 


Your setup may use different ip and mac addresses than the ones in the table below. 


Table 10.2. Packet Forwarding Solution 


leftnet computer the router rightnet computer 
08:00:27:f6:ab:b9 08:00:27:43:1f:5a 08:00:27:be:4a:6b 08:00:27:14:8b:17 
192.168.60.8 192.168.60.1 192.168.70.1 192.168.70.9 
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3. How can you verify whether the router will allow packet forwarding by default or not ? 
Test that you can ping from the router to the two other machines, and from those two 
machines to the router. Use arp -a to make sure you are connected with the correct mac 
addresses. 


This can be done with "grep ip_forward /etc/sysctl.conf" (1 is enabled, 0 is disabled) or 
with sysctl -a | grep ip_for. 


root@router~# grep ip_for /etc/sysctl.conf 
net.ipv4.ip_forward = 0 


4. Ping from the leftnet computer to the rightnet computer. Enable and/or disable packet 
forwarding on the router and verify what happens to the ping between the two networks. If 
you do not succeed in pinging between the two networks (on different subnets), then use a 
sniffer like wireshark or tcpdump to discover the problem. 


Did you forget to add a default gateway to the LAN machines ? Use route add default 
gw 'ip-address'. 

root@left~# route add default gw 192.168.60.1 

root@right~# route add default gw 192.168.70.1 

You should be able to ping when packet forwarding is enabled (and both default gateways 


are properly configured). The ping will not work when packet forwarding is disabled or 
when gateways are not configured correctly. 


5. Use wireshark or tcpdump -xx to answer the following questions. Does the source MAC 
change when a packet passes through the filter ? And the destination MAC ? What about 
source and destination [P-addresses ? 

Both MAC addresses are changed when passing the router. Use tcpdump -xx like this: 
root@router~# tcpdump -xx -i ethl 


root@router~# tcpdump -xx -i eth2 
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6. Remember the third network card on the router ? Connect this card to a LAN with internet 
connection. On many LAN's the command dhclient eth0 just works (replace eth0O with the 
correct interface. 


root@router~# dhclient eth0 


You now have a setup similar to this picture. What needs to be done to give internet access 
to leftnet and rightnet. 


The clients on leftnet and rightnet need a working dns server. We use one of Google's 
dns servers here. 


echo nameserver 8.8.8.8 > /etc/resolv.conf 
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Chapter 11. iptables firewall 


This chapter introduces some simple firewall rules and how to configure them with iptables. 


iptables is an application that allows a user to configure the firewall functionality built into 
the Linux kernel. 


85 


iptables firewall 


11.1. iptables tables 


By default there are three tables in the kernel that contain sets of rules. 


The filter table is used for packet filtering. 
root@debian6~# iptables -t filter -L 
Chain INPUT (policy ACCEPT) 


target prot opt source destination 


Chain FORWARD (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 
target prot opt source destination 


The nat table is used for address translation. 
root@debian6~# iptables -t nat -L 
Chain PREROUTING (policy ACCEPT) 


target prot opt source destination 


Chain POSTROUTING (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 
target prot opt source destination 


The mangle table can be used for special-purpose processing of packets. 


Series of rules in each table are called a chain. We will discuss chains and the nat table 
later in this chapter. 


11.2. starting and stopping iptables 


The following screenshot shows how to stop and start iptables on Red Hat/Fedora/CentOS 
and compatible distributions. 


[root@centos6 ~]# service iptables stop 

[root@centos6 ~]# service iptables start 

iptables: Applying firewall rules [ ok ] 
[root@centos6 ~]# 


Debian and *buntu distributions do not have this script, but allow for an uninstall. 


root@debian6~# aptitude purge iptables 
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11.3. the filter table 
11.3.1. about packet filtering 


Packet filtering is a bit more than packet forwarding. While packet forwarding uses only 
a routing table to make decisions, packet filtering also uses a list of rules. The kernel will 
inspect packets and decide based on these rules what to do with each packet. 


11.3.2. filter table 


The filter table in iptables has three chains (sets of rules). The INPUT chain is used for any 
packet coming into the system. The OUTPUT chain is for any packet leaving the system. 
And the FORWARD chain is for packets that are forwarded (routed) through the system. 


kernel 


>= 
fl 


nur —> oan eis => _—oureur 


The screenshot below shows how to list the filter table and all its rules. 


[root@RHEL5 ~]# iptables -t filter -nL 
Chain INPUT (policy ACCEPT) 
target prot opt source destination 


Chain FORWARD (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 


target prot opt source destination 
[root@RHEL5 ~]# 


As you can see, all three chains in the filter table are set to ACCEPT everything. ACCEPT 
is the default behaviour. 
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11.3.3. setting default rules 


The default for the default rule is indeed to ACCEPT everything. This is not the most secure 
firewall. 


A more secure setup would be to DROP everything. A package that is dropped will not 
continue in any chain, and no warning or error will be sent anywhere. 


The below commands lock down a computer. Do not execute these commands inside a 
remote ssh shell. 


root@debianpaul~# iptables -P INPUT DROP 
root@debianpaul~# iptables -P OUTPUT DROP 
root@debianpaul~# iptables -P FORWARD DROP 
root@debianpaul~# iptables -L 

Chain INPUT (policy DROP) 

target prot opt source destination 


Chain FORWARD (policy DROP) 
target prot opt source destination 


Chain ‘OUTPUT (polaicy DROP) 
target prot opt source destination 


11.3.4. changing policy rules 


To start, let's set the default policy for all three chains to drop everything. Note that you 
might lose your connection when typing this over ssh ;-). 


[root@RHEL5 ~]# iptables -P INPUT DROP 
[root@RHEL5 ~]# iptables -P FORWARD DROP 
[root@RHEL5 ~]# iptables -P OUTPUT DROP 


Next, we allow the server to use its own loopback device (this allows the server to access 
its services running on localhost). We first append a rule to the INPUT chain to allow 
(ACCEPT) traffic from the lo (oopback) interface, then we do the same to allow packets to 
leave the system through the loopback interface. 


[root@RHEL5 ~]# iptables -A INPUT -i lo -—j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT -o lo -j ACCEPT 


Looking at the filter table again (omitting -t filter because it is the default table). 


[root@RHEL5 ~]# iptables -nL 

Chain INPUT (pollaicy, DROP’) 

target prot opt source destination 
ACCEPT eulie = 4040500) ORO OR OA0: 


Chain FORWARD (policy DROP) 
target prot opt source destination 


Chain OUTPUT (policy DROP) 


target prot opt source destination 
ACCEPT aul ==. @,0 60. 0/0 Or Oi ON.0)/10) 


88 


iptables firewall 


11.3.5. Allowing ssh over eth0 


This example show how to add two rules to allow ssh access to your system from outside. 


[root@RHEL5 ~]# iptables -A INPUT -i eth0O -p tcp --dport 22 -j ACCEPT 


[root@RHEL5 ~]# iptables -A OUTPUT -o eth0O 


p tcp 


SPORE Am) ACEH PA: 


The filter table will look something like this screenshot (note that -v is added for more 


verbose output). 


[root@RHEL5 ~]# iptables -nvL 
Chain INPUT (policy DROP 7 packets, 609 bytes) 
pkts bytes target prot opt in out source 
0 Q) NCEE adil == ile BS On 0.05 0/0 
0 © ACCEPT (tcp: == “etho * 020202070 
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
pkts bytes target prot opt in out source 
Chain OUTPUT (policy DROP 3 packets, 228 bytes) 
pkts bytes target prot opt in out source 
0 OAC CH Dsl cele le) ORONO O40 
0 O ACCEPT “Ecp == * etho 0.0.0.0/0 


[root@RHEL5 ~]# 


destination 
OP1O%102.01/ 0 


OF00 30/0 Step dp :22 


destination 


destination 
O/Oi0% 017-0 


OS00 50/0 “rep  spire22 


11.3.6. Allowing access from a subnet 


This example shows how to allow access from any computer in the 10.1.1.0/24 network, but 
only through eth1. There is no port (application) limitation here. 


[root@RHEL5 ~]# iptables -A INPUT -i ethl -s 10.1.1.0/24 -p tcp -j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT -o ethli -d 10.1.1.0/24 -p tcp -j ACCEPT 


Together with the previous examples, the policy is expanding. 


[root@RHEL5 ~]# iptables -nvL 
Chain INPUT (policy DROP 7 packets, 609 bytes) 
pkts bytes target prot opt in out source 
0 O -ACCEET all ==) Vio a O00 070 
0 OFACCEDT Tepe —— ceo 0.0.0.0/0 
0 O ACCEPT Eep ~=—" “ethil = 
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
pkts bytes target prot opt in out source 
Chain OUTPUT (policy DROP 3 packets, 228 bytes) 
pkts bytes target prot opt in out source 
0 OAC CH Pay aelt nes ike} 0.0.0.0/0 
0 OFACCHEI. ECps === + ethoO 0.0.0.0/0 
0 0) ANCIGINEM jeej == ethd, (02050-0710 
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destination 
ORORO SOO 


OD OOR0/ 0 teprdpr: 22 


HOR As O24) Ol 0.10).101/'0 


destination 


destination 
OF OL0070 
OF OR0) 07/70 
Oe dL Le One 


ECD: SpE. 22 
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11.3.7. iptables save 


Use iptables save to automatically implement these rules when the firewall is (re)started. 


[root@RHEL5 ~]# /etc/init.d/iptables save 
Saving firewall rules to /etc/sysconfig/iptables: | OK || 
[root@RHEL5 ~]# 


11.3.8. scripting example 


You can write a simple script for these rules. Below is an example script that implements 
the firewall rules that you saw before in this chapter. 


#!/bin/bash 

# first cleanup everything 
iptables -t filter -F 
iptables -t filter -xX 
iptables -t nat -F 
iptables -t nat -X 


# default drop 

iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT DROP 


# allow loopback device 
iptables: Ay ENPUT 1 Koay ACEP 
iptables —A OUTPUT —o Io —7 ACCEPT 


# allow ssh over ethO from outside to system 
iptables! =A) INPUL =i eth0" =p tcp) =-dport 22) =7) ACCEPT 
iptables -A OUTPUT -o ethO -p tcp Soom 22) =F) iNeeiae/1b 


# allow any traffic from 10.1.1.0/24 to system 
iptables -A INPUT -i ethl -s 10.1.1.0/24 -p tcp -j ACCEPT 
iptables —Ay OUTPUL —o ‘ethiy —d l0n i 0/7245 —p tcp —7) ACCERT 
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11.3.9. Allowing ICMP(ping) 


When you enable iptables, you will get an 'Operation not permitted' message when trying 
to ping other hosts. 


[root@RHELS ~# ping 192.168.187.130 

PING 92 N68. 237.030) (UIA e hog sis] N30) 56 (84) bytes of data. 
ping: sendmsg: Operation not permitted 

ping: sendmsg: Operation not permitted 


The screenshot below shows you how to setup iptables to allow a ping from or to your 
machine. 


[root@RHEL5 ~]# iptables -A INPUT -p icmp icmp-type any -j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT 


The previous two lines do not allow other computers to route ping messages through your 
router, because it only handles INPUT and OUTPUT. For routing of ping, you will need 
to enable it on the FORWARD chain. The following command enables routing of icmp 
messages between networks. 


[root@RHEL5 ~]# iptables -A FORWARD -p icmp icmp-type any -j ACCEPT 
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11.4. practice: packet filtering 


1. Make sure you can ssh to your router-system when iptables is active. 
2. Make sure you can ping to your router-system when iptables is active. 


3. Define one of your networks as ‘internal’ and the other as 'external'. Configure the router 
to allow visits to a website (http) to go from the internal network to the external network 
(but not in the other direction). 


4, Make sure the internal network can ssh to the external, but not the other way around. 
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11.5. solution: packet filtering 


A possible solution, where leftnet is the internal and rightnet is the external network. 
#!/bin/bash 


# first cleanup everything 
iptables -t filter -F 
iptables -t filter -xX 
iptables -t nat -F 
iptables -t nat -X 


# default drop 

iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT DROP 


# allow loopback device 
iptables -A INPUT -i lo -—j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT 


# question 1: allow ssh over eth0O 
iptables: —Ay tNPUd —tethOl pte ——dpomte 27,77) ACCHE 
iptables -A OUTPUT -o ethO -p tcp Soom 22. =a) INeKe\aieI: 


# question 2: Allow icmp(ping) anywhere 

iptables -A INPUT -p icmp icmp-type any -j ACCEPT 
iptables -A FORWARD -p icmp icmp-type any —j ACCEPT 
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT 


# question 3: allow http from internal(leftnet) to external (rightnet) 
iptables -A FORWARD -i ethl -o eth2 -p tcp --dport 80 -j ACCEPT 
iptables -A FORWARD -i eth2 -o ethl -p tcp --sport 80 -j ACCEPT 


# question 4: allow ssh from internal(leftnet) to external (rightnet) 
iptables -A FORWARD -i ethl -o eth2 -p tcp --dport 22 -j ACCEPT 
iptables -A FORWARD -i eth2 -o ethl -p tcp --sport 22 -j ACCEPT 


# allow http from external (rightnet) to internal (leftnet) 
# iptables -A FORWARD -i eth2 -o ethl -p tcp --dport 80 -j ACCEPT 
# iptables -A FORWARD -i ethl -o eth2 -p tcp --sport 80 - j ACCEPT 


# allow rpcinfo over eth0O from outside to system 
sLSjeelolleys) WN INIPIUE ab Gyelayy je) ieeje) ——clererate ibilil 5) “leleiaieab 
# iptables -A OUTPUT -o eth2 -p tcp sport Il -7 ACCEPT 


se 


93 


iptables firewall 


11.6. network address translation 
11.6.1. about NAT 


A NAT device is a router that is also changing the source and/or target ip-address in packets. 
It is typically used to connect multiple computers in a private address range with the (public) 
internet. A NAT can hide private addresses from the internet. 


NAT was developed to mitigate the use of real ip addresses, to allow private address ranges 
to reach the internet and back, and to not disclose details about internal networks to the 
outside. 


The nat table in iptables adds two new chains. PREROUTING allows altering of packets 
before they reach the INPUT chain. POSTROUTING allows altering packets after they exit 
the OUTPUT chain. 


= <> 
( 


Bo -- >- ea 


Use iptables -t nat -nvL to look at the NAT table. The screenshot below shows an empty 
NAT table. 


[root@RHEL5 ~]# iptables -t nat -nL 
Chain PREROUTING (policy ACCEPT) 
target prot opt source destination 


Chain POSTROUTING (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 


target prot opt source destination 
[root@RHEL5 ~]# 
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11.6.2. SNAT (Source NAT) 


The goal of source nat is to change the source address inside a packet before it leaves the 
system (e.g. to the internet). The destination will return the packet to the NAT-device. This 
means our NAT-device will need to keep a table in memory of all the packets it changed, so 
it can deliver the packet to the original source (e.g. in the private network). 


Because SNAT is about packets leaving the system, it uses the POSTROUTING chain. 


Here is an example SNAT rule. The rule says that packets coming from 10.1.1.0/24 network 
and exiting via eth! will get the source ip-address set to 11.12.13.14. (Note that this is a 
one line command!) 


iptables -t nat -A POSTROUTING -o ethl -s 10.1.1.0/24 -j SNAT \ 
=—to-source dln dia 1S 14 


Of course there must exist a proper iptables filter setup to allow the packet to traverse from 
one network to the other. 


11.6.3. SNAT example setup 


This example script uses a typical nat setup. The internal (ethO) network has access via 
SNAT to external (eth1) webservers (port 80). 


#!/bin/bash 

# 

# iptables script for simple classic nat websurfing 

# ethO is internal network, ethl is internet 

# 

echo 0 > /proc/sys/net/ipv4/ip_forward 

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD DROP 

iptables -A FORWARD -i eth0O -o ethl -s 10.1.1.0/24 -p tcp \ 
-—CpoOrt 07) ACCEPT 

iptables —A FORWARD) =1 eth! —o eth0! —d 10. 1.120/724 =p tcp: \ 
=—sponmt, 30) =a ACCEPT 

iptables -t nat -A POSTROUTING -o ethl -s 10.1.1.0/24 -j SNAT \ 
==to-source J1 712213). 14 

echo 1 > /proc/sys/net/ipv4/ip_forward 
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11.6.4. IP masquerading 


IP masquerading is very similar to SNAT, but is meant for dynamic interfaces. Typical 
example are broadband 'router/modems' connected to the internet and receiving a different 
ip-address from the isp, each time they are cold-booted. 


The only change needed to convert the SNAT script to a masquerading is one line. 


iptables -t nat -A POSTROUTING -o ethl -s 10.1.1.0/24 -—j MASQUERADE 
11.6.5. DNAT (Destination NAT) 


DNAT is typically used to allow packets from the internet to be redirected to an internal 
server (in your DMZ) and in a private address range that is inaccessible directly form the 
internet. 


This example script allows internet users to reach your internal (192.168.1.99) server via 
ssh (port 22). 


#!/bin/bash 

# 

# iptables script for DNAT 

# ethO is internal network, ethl is internet 

# 

echo 0 > /proc/sys/net/ipv4/ip_forward 

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD DROP 

iptables -A FORWARD -i ethO -o ethl -s 10.1.1.0/24 -4 ACCEPT 
iptables -A FORWARD -i ethl -o ethO -p tcp --dport 22 -j ACCEPT 
iptables -t nat -A PREROUTING -i ethl -p tcp --dport 22 \ 

=i) DNA —-co-destimatton HOR 99 

echo 1 > /proc/sys/net/ipv4/ip_forward 
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Chapter 12. introduction to SELinux 


Security Enhanced Linux or SELinux is a set of modifications developed by the United 
States National Security Agency (NSA) to provide a variety of security policies for Linux. 
SELinux was released as open source at the end of 2000. Since kernel version 2.6 it is an 
integrated part of Linux. 


SELinux offers security! SELinux can control what kind of access users have to files and 
processes. Even when a file received chmod 777, SELinux can still prevent applications 
from accessing it (Unix file permissions are checked first!). SELinux does this by placing 
users in roles that represent a security context. Administrators have very strict control on 
access permissions granted to roles. 


SELinux is present in the latest versions of Red Hat Enterprise Linux, Debian, CentOS, 
Fedora, and many other distributions.. 
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12.1. selinux modes 


selinux knows three modes: enforcing, permissive and disabled. The enforcing mode will 
enforce policies, and may deny access based on selinux rules. The permissive mode will not 
enforce policies, but can still log actions that would have been denied in enforcing mode. 
The disabled mode disables selinux. 


12.2. logging 


Verify that syslog is running and activated on boot to enable logging of deny messages in 
/var/log/messages. 


[root@rhel55 ~]# chkconfig --list syslog 
syslog Oroft lott 2ton 330n 4:0n Son 6rort 


Verify that auditd is running and activated on boot to enable logging of easier to read 
messages in /var/log/audit/audit.log. 


[root@rhe1l55 ~]# chkconfig --list auditd 
auditd Osork ior Avon Stione4 on, Scion 6 o re 


If not activated, then run chkconfig --levels 2345 auditd on and service auditd start. 
[root@rhel55 ~]# service auditd status 

auditd (pid 1660) is running... 

[root@rhel55 ~]# service syslog status 


syslogd (pid 1688) is running... 
Lelkexejel (Goukel iis Sul) sbcy aaibhonslabiave/ 5 5 4 


The /var/log/messages log file will tell you that selinux is disabled. 


root@deb503:~# grep -i selinux /var/log/messages 
Jun 25 15:59:34 deb503 kernel: [ 0.084083] SELinux: Disabled at boot. 


Or that it is enabled. 


root@deb503:~# grep SELinux /var/log/messages | Sfigejo) — iL Ibiolife 
Jun 25 15:09:52 deb503 kernel: [ 0.084094] SELinux: Ibiptaleatfel Bak y4uliove 


12.3. activating selinux 


On RHEL you can use the GUI tool to activate selinux, on Debian there is the selinux- 
activate command. Activation requires a reboot. 


root@deb503:~# selinux-activate 
Activating SE Linux 


Searching for GRUB installation directory ... found: /boot/grub 

Searching for default file ... found: /boot/grub/default 

Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.1lst 
Searching for splash image ... none found, skipping 

Found kernel: /boot/vmlinuz-2.6.26-2-686 

Updating /boot/grub/menu.lst ... done 


SE Linux is activated. You may need to reboot now. 
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12.4. getenforce 


Use getenforce to verify whether selinux is enforced, disabled or permissive. 


[root@rhel55 ~]# getenforce 
Permissive 


The /selinux/enforce file contains 1 when enforcing, and 0 when permissive mode is active. 


root@fedoral3 ~# cat /selinux/enforce 
lroot@fedoral3 ~# 


12.5. setenforce 


You can use setenforce to switch between the Permissive or the Enforcing state once 
selinux is activated.. 


[root@rhel55 ~]# setenforce Enforcing 
[root@rhel55 ~]# getenforce 

Enforcing 

[root@rhel55 ~]# setenforce Permissive 
[root@rhel55 ~]# getenforce 

Permissive 


Or you could just use 0 and | as argument. 


[root@centos65 ~]# setenforce 1 
[root@centos65 ~]# getenforce 
Enforcing 

[root@centos65 ~]# setenforce 0 
[root@centos65 ~]# getenforce 
Permissive 

[root@centos65 ~]# 
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12.6. sestatus 


You can see the current selinux status and policy with the sestatus command. 


[root@rhel55 ~]# sestatus 


SELinux status: enabled 
SELinuxfs mount: /selinux 
Current mode: permissive 
Mode from config file: permissive 
Policy version: 21 

Policy from config file: targeted 


12.7. policy 


Most Red Hat server will have the targeted policy. Only NSA/FBI/CIA/DOD/HLS use the 
mis policy. 


The targted policy will protect hundreds of processes, but lets other processes run 
‘unconfined' (= they can do anything). 


12.8. /etc/selinux/config 


The main configuration file for selinux is /etc/selinux/config. When in permissive mode, 
the file looks like this. 


The targeted policy is selected in /etc/selinux/config. 


[root@centos65 ~]# cat /etc/selinux/config 
# This file controls the state of SELinux on the system. 
# SELINUX= can take one of these three values: 


# enforcing - SELinux security policy is enforced. 
# permissive - SELinux prints warnings instead of enforcing. 
# disabled - SELinux is fully disabled. 


SELINUX=permissive 

# SELINUXTYPE= type of policy in use. Possible values are: 

# targeted - Only targeted network daemons are protected. 
# Strict — Hull SELinux protection: 

SELINUXTYPE=targeted 
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12.9. DAC or MAC 


Standard Unix permissions use Discretionary Access Control to set permissions on files. 
This means that a user that owns a file, can make it world readable by typing chmod 777 
$file. 


With selinux the kernel will enforce Mandatory Access Control which strictly controls 
what processes or threads can do with files (superseding DAC). Processes are confined by 
the kernel to the minimum access they require. 


SELinux MAC is about labeling and type enforcing! Files, processes, etc are all labeled with 
an SELinux context. For files, these are extended attributes, for processes this is managed 
by the kernel. 


The format of the labels is as follows: 
user:role:type: (level) 


We only use the type label in the targeted policy. 
12.10. Is -2 


To see the DAC permissions on a file, use Is -1 to display user and group owner and 
permissions. 


For MAC permissions there is new -Z option added to Is. The output shows that file in /root 
have a XXXtype of admin_home_t. 


[root@centos65 ~]# ls -Z 


Sy = - root root system_u:object_r:admin_home_t:s0O anaconda-ks.cfg 
-rw-r--r--. root root system_u:object_r:admin_home_t:s0O install.log 
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog 


[root@centos65 ~]# useradd -m -s /bin/bash pol 
[root@centos65 ~]# 1s -Z /home/pol/.bashrec 
=bw-r—-r——., pol poll unconfined: object rsuser home t:s0 /home/pol/ .bashre 


12.11. -Z 


There are also some other tools with the -Z switch: 


mkdir -Z 
ep =Z 
joss =A 


netstat —Z. 
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12.12. /selinux 


When selinux is active, there is a new virtual file system named /selinux. (You can compare 
it to /proc and /dev.) 


POOL, FOO 
root roo 
TOOL. LOO 


—rw-rw-rw-. Apr 12 19:40 relabel 
Apr 12 19:40 status 


Apr 12 19:40 user 


SRS=rS=E== 


[root@centos65 ~]# ls -1 /selinux/ 
Pocalend 
=EW=rw—-tw=. ) 1 root LOor OQ Apr 12 19:40 access 
dp=xr—-xr—x. | 2) GOO LOO OQ Apr 12 19:40 avec 
Gis ie la Xe OO EEOOr OQ Apr 12 19:40 booleans 
Sey =, Ih IGE TOKE OQ Apr 12 19:40 checkregprot 
Glia saig— le Xe CSU @ Ole 2OOlE OQ Apr 12 19:40 class 
Haya aaa PE EOO EEO OQ Apr 12 19:40 commit_pending_bools 
=Ew-rw-Ew-. 1 root Toor QO Apr 12 19:40 context 
ray db iereysiie gexec OQ Apr 12 19:40 create 
eee IE iclofoye setOVO Ne! QO Apr 12 19:40 deny_unknown 
SSeS LE EOOE EO OQ Apr 12 19:40 disable 
agyij—e——1a— IL SatoVone. seOlONE OQ Apr 12 19:40 enforce 
felis pie ie, A 1EIOYSIE TEKOLOHE OQ Apr 12 19:40 initial_contexts 
SiS Se Te LOOr Loot QO Apr 12 19:40 load 
aii, db iatoxae seOloie OQ Apr 12 19:40 member 
ee aa Geloyone. aeO\Cl= OQ Apr 12 19:40 mls 
hare db acter weroyeie Ihe) Nowe iA Abs) e240) ieyelIEaL 
iat eieaiieiieniaiiion Ty BOOr. Oot © Apr 12 19:40 policy 
olia—=y.dig@ gia YA AOXSIE IELOLSE 0 Apr 12 19:40 policy_capabilities 
eee, Sate VoNe. SEOCE OQ Apr 12 19:40 policyvers 
Se, I OIE HOKE OQ Apr 12 19:40 reject_unknown 

il Es 0 

aL ite 0 

ak E 0 


=EwW—] EW SEW, 
Although some files in /selinux appear wih size 0, they often contain a boolean value. Check 
/selinux/enforce to see if selinux is running in enforced mode. 

[root@RHEL5 ~]# 1s -1l /selinux/enforce 

EW isa leOot Oot WMADE 29 OS 2is/ selimux/entonce 


[root@RHEL5 ~]# echo $(cat /selinux/enforce) 
a 


12.13. identity 


The SELinux Identity of a user is distinct from the user ID. An identity is part of a security 
context, and (via domains) determines what you can do. The screenshot shows user root 
having identity user_u. 


[root@rhel55 ~]# id -Z 
user_u:system_r:unconfined_t 


12.14. role 


The selinux role defines the domains that can be used. A role is denied to enter a domain, 
unless the role is explicitely authorized to do so. 
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12.15. type (or domain) 


The selinux context is the security context of a process. An selinux type determines what a 
process can do. The screenshot shows init running in type init_t and the mingetty's running 
in type getty_t. 


[root@centos65 ~]# ps fax —-Z | grep /sbin/init 


system_u:system_r:init_t:s0 alae, Ss 0:00 /sbin/init 
[root@centos65 ~]# ps fax —-Z | grep getty_t 

system_u:system_r:getty_t:s0 1307 ttyl Sst 0:00 /sbin/mingetty /dev/ttyl 
system_u:system_r:getty_t:s0 UO EZ Sst+ 0:00 /sbin/mingetty /dev/tty2 
system_u:system_r:getty_t:s0 alclabal fee sies) Sst+ 0:00 /sbin/mingetty /dev/tty3 
system_u:system_r:getty_t:s0 Seles EE y.4 Sst+ 0:00 /sbin/mingetty /dev/tty4 
system_u:system_r:getty_t:s0 120 Mery Sst 0:00 /sbin/mingetty /dev/tty5 
system_u:system_r:getty_t:s0 USO ies Sst+ 0:00 /sbin/mingetty /dev/tty6 


The selinux type is similar to an selinux domain, but refers to directories and files instead 
of processes. 


Hundreds of binaries also have a type: 


[root@centos65 sbin]# ls -1Z useradd usermod userdel httpd postcat postfix 
—-rwxr-xXr-x. root root system_u:object_r:httpd_exec_t:s0 httpd 

-rwxr-xr-x. root root system_u:object_r:postfix_master_exec_t:s0 postcat 
—-rwxr-xXr-x. root root system_u:object_r:postfix_master_exec_t:s0 postfix 


-rwxr-x---. root root system_u:object_r:useradd_exec_t:s0 useradd 
—-rwxr-x---. root root system_u:object_r:useradd_exec_t:s0 userdel 
-rwxr-x---. root root system_u:object_r:useradd_exec_t:s0 usermod 


Ports also have a context. 
[root@centos65 sbin]# netstat -nptlzZ | ‘Gr es. ot | cub =d! =" =E6= 


Foreign Address State PID/Program name Security Context 
LISTEN 1096/rpcbind system_u:system_r:rpcbind_t:s0 
LISTEN 1208/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 
LISTEN 1284/master system_u:system_r:postfix_master_t:s0 
LISTEN 1114/rpc.statd system_u:system_r:rpcd_t:s0 

LISTEN 1096/rpcbind system_u:system_r:rpcbind_t:s0 
LISTEN 1666/httpd unconfined_u:system_r:httpd_t:s0 
LISTEN 1208/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 
LISTEN 1114/rpc.statd system_u:system_r:rpcd_t:s0 

LISTEN 1284/master system_u:system_r:postfix_master_t:s0 


You can also get a list of ports that are managed by SELinux: 


[root@centos65 ~]# semanage port -l | tail 

ZESLpOERELe tcp 7100 
xserver_port_t ECD 6000-6150 
zabbix_agent_port_t tcp 10050 
zabbix_port_t tcp 10051 
zarafa_port_t ep 2316, 231 
zebra_port_t tcp 2600-2604, 2606 
zebra_port_t udp 2600-2604, 2606 
zented_port_t 1Efe}®) INES) 
zented_port_t udp 1228) 
zope_port_t tcp 8021 
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12.16. security context 


The combination of identity, role and domain or type make up the selinux security context. 
The id will show you your security context in the form identity:role:domain. 


[paul@RHEL5 ~]$ id | cut -d' ' -£4 
context=user_u:system_r:unconfined_t 


The Is -Z command shows the security context for a file in the form identity:role:type. 


[paul@RHEL5 ~]$ 1s -Z test 
-rw-rw-r-- paul paul user_u:object_r:user_home_t Pesiz 


The security context for processes visible in /proc defines both the type (of the file in /proc) 
and the domain (of the running process). Let's take a look at the init process and /proc/1/ . 


The init process runs in domain init_t. 
[root@RHEL5 ~]# ps -ZC init 


LABEL 12D) Lan Ne TIME CMD 
system_u:system_r:init_t i 2 OOOO OM ahaaite 


The /proc/1/ directory, which identifies the init process, has type init_t. 


[root@RHEL5 ~]# 1s -Zd /proc/1/ 
dr-xr-xr-x root root system_u:system_r:init_t Jisnetorey/ sk// 


It is not a coincidence that the domain of the init process and the type of /proc/1/ are both 
init_t. 


Don't try to use chcon on /proc! It will not work. 


12.17. transition 


An selinux transition (aka an selinux labelling) determines the security context that will be 
assigned. A transition of process domains is used when you execute a process. A transition 
of file type happens when you create a file. 


An example of file type transition. 


[pol@centos65 ~]$ touch test /tmp/test 
[pol@centos65 ~]$ ls -Z test 


-rw-rw-r--. pol pol unconfined_u:object_r:user_home_t:s0 test 
[pol@centos65 ~]$ ls -Z /tmp/test 
-rw-rw-r--. pol pol unconfined_u:object_r:user_tmp_t:s0 /tmp/test 
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12.18. extended attributes 


Extended attributes are used by selinux to store security contexts. These attributes can be 
viewed with Is when selinux is running. 


[root@RHEL5 home]# 1s --context 

lia ip paul paul system_u:object_r:user_home_dir_t paul 
drwxr-xr-x root root user_u:object_r:user_home_dir_t project42 
drwxr-xr-x root root user_u:object_r:user_home_dir_t project55 
[root@RHEL5 home]# 1s -Z 

ela ip paul paul system_u:object_r:user_home_dir_t paul 
drwxr-xr-x root root user_u:object_r:user_home_dir_t project42 
drwxr-xr-x root root user_u:object_r:user_home_dir_t project55 
[root@RHEL5 home] # 


When selinux is not running, then getfattr is the tool to use. 
[root@RHEL5 etc]# getfattr -m . -d hosts 


# file: hosts 
security.selinux="system_u:object_r:etc_t:s0\000" 


12.19. process security context 


A new option is added to ps to see the selinux security context of processes. 


[root@RHEL5 etc]# ps —ZC mingetty 


LABEL 12MIBD)  ALENE TIME CMD 
system_u:system_r:getty_t 294 ey 00:00:00 mingetty 
system_u:system_r:getty_t 2942 tty2 00:00:00 mingetty 


12.20. chcon 


Use chcon to change the selinux security context. 


This example shows how to use chcon to change the type of a file. 


[root@rhel55 ~]# 1s -Z /var/www/html/test42.txt 


-rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/test4\ 
2. ext 


[root@rhel55 ~]# chcon -t samba_share_t /var/www/html/test42.txt 
[root@rhel55 ~]# 1s -Z /var/www/html/test42.txt 
-rw-r--r-- root root user_u:object_r:samba_share_t /var/www/html/test42.txt 


Be sure to read man chcon. 
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12.21. an example 


The Apache2 webserver is by default targeted with SELinux. The next screenshot shows 
that any file created in /var/www/html will by default get the httpd_sys_content_t type. 


[root@centos65 ~]# touch /var/www/html/test42.txt 

[root@centos65 ~]# ls -Z /var/www/html/test42.txt 

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/h\ 
tml/test42.txt 


Files created elsewhere do not get this type. 
[root@centos65 ~]# touch /root/test42.txt 


[root@centos65 ~]# ls -Z /root/test42.txt 
-hWw-t—-—-r—-— 4 FOO root Unconfined usjobject. radmin homent 7s0))/rnoot/test42 txt 


Make sure Apache2 runs. 


[root@centos65 ~]# service httpd restart 
Stopping httpd: L Or 
Starting httpd: Lie || 


Will this work ? Yes it does. 


[root@centos65 ~]# wget http://localhost/test42.txt 


--2014-04-12 20:56:47-- http://localhost/test42.txt 
Resolve? ocallnositeer-s iscslln leet Ol Oe: 

Connecting to localhost|::1|:80... connected. 

HTTP request sent, awaiting response... 200 OK 


Length: 0 [text/plain] 
Saving to: “test42.txt” 


Why does this work ? Because Apache? runs in the httpd_t domain and the files in /var/ 
www/html have the httpd_sys_content_t type. 


[root@centos65 ~]# ps -ZC httpd | head -4 


LABEL 12XIHD) ARIE NE TIME CMD 

unconfined_u:system_r:httpd_t:s0 1666 ? 00:00:00 httpd 
unconfined_u:system_r:httpd_t:s0 1668 ? 00:00:00 httpd 
unconfined_u:system_r:httpd_t:s0 1669 ? 00:00:00 httpd 
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So let's set SELinux to enforcing and change the type of this file. 


[root@centos65 ~]# chcon -t samba_share_t /var/www/html/test42.txt 
[root@centos65 ~]# ls -Z /var/www/html/test42.txt 


-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 /var/www/html1/t\ 
est42.txt 

[root@centos65 ~]# setenforce 1 

[root@centos65 ~]# getenforce 

Enforcing 


There are two possibilities now: either it works, or it fails. It works when selinux is in 
permissive mode, it fails when in enforcing mode. 


[root@centos65 ~]# wget http://localhost/test42.txt 


—--2014-04-12 21:05:02-- http://localhost/test42.txt 
Resolvamnc locadlhosien sy eecsle  LAre Ol OL 

Connecting to localhost|::1|:80... connected. 

HTTP request sent, awaiting response... 403 Forbidden 


2014-04-12 21:05:02 ERROR 403: Forbidden. 


The log file gives you a cryptic message... 


[root@centos65 ~]# tail -3 /var/log/audit/audit.log 

type=SYSCALL msg=audit (1398200702.803:64): arch=c000003e syscall=4 succ\ 
ess=no exit=-13 a0=7f£5fbc334d70 al=7f£f£553b4f10 a2=7fFf553b4f10 a3=0 it\ 
ems=0 ppid=1666 pid=1673 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=4\ 
8 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin\ 
/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 

type=AVC msg=audit (1398200702.804:65): avec: denied { getattr } for p\ 
id=1673 comm="httpd" path="/var/www/html/test42.txt" dev=dm-0 ino=26324\ 
1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:objec\ 
t_r:samba_share_t:s0 tclass=file 

type=SYSCALL msg=audit (1398200702.804:65): arch=c000003e syscall=6 succ\ 
ess=no exit=-13 a0=7f£5fbc334e40 al=7fff553b4f10 a2=7fFF553b4f10 a3=1 it\ 
ems=0 ppid=1666 pid=1673 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=4\ 
8 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin\ 
/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 


And /var/log/messages mentions nothing of the failed download. 
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12.22. setroubleshoot 


The log file above was not very helpful, but these two packages can make your life much 
easier. 


[root@centos65 ~]# yum -y install setroubleshoot setroubleshoot-server 


You need to reboot for this to work... 


So we reboot, restart the httpd server, reactive SELinux Enforce, and do the wget again... 
and it fails (because of SELinux). 


root@centos65 ~]# service httpd restart 
Stopping httpd: [FAILED] 
Starting httpd: [ OK J 
root@centos65 ~]# getenforce 
Permissive 
root@centos65 ~]# setenforce 1 
root@centos65 ~]# getenforce 
Enforcing 
root@centos65 ~]# wget http://localhost/test42.txt 
--2014-04-12 21:44:13-- http://localhost/test42.txt 
Reselvaimn@ locales tryeses fly, ee a7 Or Ohee 
Connecting to localhost|::1|:80... connected. 
HTTP request sent, awaiting response... 403 Forbidden 


2014-04-12 21:44:13 ERROR 403: Forbidden. 


The /var/log/audit/ is still not out best friend, but take a look at /var/log/messages. 


[root@centos65 ~]# tail -2 /var/log/messages 

Apr 12 21:44:16 centos65 setroubleshoot: SELinux is preventing /usr/sbin/h\ 
ttpd from getattr access on the file /var/www/html/test42.txt. For complete \ 
SELinux messages. run sealert -1l b2a84386—-54c1-—4344-96fb-—dcf£969776696 

Apr 12 21:44:16 centos65 setroubleshoot: SELinux is preventing /usr/sbin/h\ 
ttpd from getattr access on the file /var/www/html/test42.txt. For complete \ 
SELinux messages. run sealert -1l b2a84386—-54c1-—4344-96fb-—dcf£969776696 


So we run the command it suggests... 


[root@centos65 ~]# sealert -1l b2a84386-54c1-4344-96fb-dcf969776696 
SELinux is preventing /usr/sbin/httpd from getattr access on the file /va\ 
r/www/html/test42.txt. 


presses jp iliblejalig seloeic(euecieleiel ((Y2.42 eloigueslteleuelele})) Gybllese(esene tes a tetas iat ta snes tan cies seers 


If you want to fix the label. 

/var/www/html/test42.txt default label should be httpd_sys_content_t. 
Then you can run restorecon. 

Do 

# /sbin/restorecon -v /var/www/html/test42.txt 
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We follow the friendly advice and try again to download our file: 


[root@centos65 ~]# /sbin/restorecon -v /var/www/html/test42.txt 
/sbin/restorecon reset /var/www/html/test42.txt context unconfined_u:objec\ 
t_r:samba_share_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 
[root@centos65 ~]# wget http://localhost/test42.txt 


—--2014-04-12 21:54:03-- http://localhost/test42.txt 
i@rxenlyaiieve; ieresullnesieaan Sib 127.050). i 

Connecting to localhost|::1|:80... connected. 

HTTP request sent, awaiting response... 200 OK 

It works! 
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12.23. booleans 


Booleans are on/off switches 


[root@centos65 ~]# getsebool -a | head 
abrt_anon_write --> off 
abrt_handle_event --> off 
lLlow_console_login --> on 
llow_cvs_read_shadow --> off 
llow_daemons_dump_core --> on 
llow_daemons_use_tcp_wrapper --> off 
llow_daemons_use_tty --> on 
llow_domain_fd_use --> on 
llow_execheap --> off 

llow_execmem --> on 


Pee eooop 


You can set and read individual booleans. 


[root@centos65 ~]# setsebool httpd_read_user_content=1 
[root@centos65 ~]# getsebool httpd_read_user_content 
httpd_read_user_content --> on 


[root@centos65 ~]# setsebool httpd_enable_homedirs=1 
[root@centos65 ~]# getsebool httpd_enable_homedirs 
httpd_enable_homedirs --> on 


You can set these booleans permanent. 


[root@centos65 ~]# setsebool -P httpd_enable_homedirs=1 
[root@centos65 ~]# setsebool -P httpd_read_user_content=1 


The above commands regenerate the complete /etc/selinux/targeted directory! 
[root@centos65 ~]# cat /etc/selinux/targeted/modules/active/booleans.local 
# This file is auto-generated by libsemanage 


# Do not edit directly. 


httpd_enable_homedirs=1 
httpd_read_user_content=1 
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GNU Free Documentation License 
Version 1.3, 3 November 2008 
Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. 


Everyone is permitted to copy and distribute verbatim copies of this 
license document, but changing it is not allowed. 


0. PREAMBLE 


The purpose of this License is to make a manual, textbook, or other 
functional and useful document "free" in the sense of freedom: to 
assure everyone the effective freedom to copy and redistribute it, 
with or without modifying it, either commercially or noncommercially. 
Secondarily, this License preserves for the author and publisher a way 
to get credit for their work, while not being considered responsible 
for modifications made by others. 


This License is a kind of "copyleft", which means that derivative 
works of the document must themselves be free in the same sense. It 
complements the GNU General Public License, which is a copyleft 
license designed for free software. 


We have designed this License in order to use it for manuals for free 
software, because free software needs free documentation: a free 
program should come with manuals providing the same freedoms that the 
software does. But this License is not limited to software manuals; it 
can be used for any textual work, regardless of subject matter or 
whether it is published as a printed book. We recommend this License 
principally for works whose purpose is instruction or reference. 


1. APPLICABILITY AND DEFINITIONS 


This License applies to any manual or other work, in any medium, that 
contains a notice placed by the copyright holder saying it can be 
distributed under the terms of this License. Such a notice grants a 
world-wide, royalty-free license, unlimited in duration, to use that 
work under the conditions stated herein. The "Document", below, refers 
to any such manual or work. Any member of the public is a licensee, 
and is addressed as "you". You accept the license if you copy, modify 
or distribute the work in a way requiring permission under copyright 
law. 


A "Modified Version" of the Document means any work containing the 
Document or a portion of it, either copied verbatim, or with 
modifications and/or translated into another language. 


A "Secondary Section" is a named appendix or a front-matter section of 
the Document that deals exclusively with the relationship of the 
publishers or authors of the Document to the Document's overall 
subject (or to related matters) and contains nothing that could fall 
directly within that overall subject. (Thus, if the Document is in 
part a textbook of mathematics, a Secondary Section may not explain 
any mathematics.) The relationship could be a matter of historical 
connection with the subject or with related matters, or of legal, 
commercial, philosophical, ethical or political position regarding 
them. 


The "Invariant Sections" are certain Secondary Sections whose titles 
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are designated, as being those of Invariant Sections, in the notice 
that says that the Document is released under this License. If a 
section does not fit the above definition of Secondary then it is not 
allowed to be designated as Invariant. The Document may contain zero 
Invariant Sections. If the Document does not identify any Invariant 
Sections then there are none. 


The "Cover Texts" are certain short passages of text that are listed, 
as Front-Cover Texts or Back-Cover Texts, in the notice that says that 
the Document is released under this License. A Front-Cover Text may be 
at most 5 words, and a Back-Cover Text may be at most 25 words. 


A "Transparent" copy of the Document means a machine-readable copy, 
represented in a format whose specification is available to the 
general public, that is suitable for revising the document 
straightforwardly with generic text editors or (for images composed of 
pixels) generic paint programs or (for drawings) some widely available 
drawing editor, and that is suitable for input to text formatters or 
for automatic translation to a variety of formats suitable for input 
to text formatters. A copy made in an otherwise Transparent file 
format whose markup, or absence of markup, has been arranged to thwart 
or discourage subsequent modification by readers is not Transparent. 
An image format is not Transparent if used for any substantial amount 
of text. A copy that is not "Transparent" is called "Opaque". 


Examples of suitable formats for Transparent copies include plain 
ASCII without markup, Texinfo input format, LaTeX input format, SGML 
or XML using a publicly available DTD, and standard-conforming simple 
HTML, PostScript or PDF designed for human modification. Examples of 
transparent image formats include PNG, XCF and JPG. Opaque formats 
include proprietary formats that can be read and edited only by 
proprietary word processors, SGML or XML for which the DTD and/or 
processing tools are not generally available, and the 
machine-generated HIML, PostScript or PDF produced by some word 
processors for output purposes only. 


The "Title Page" means, for a printed book, the title page itself, 
plus such following pages as are needed to hold, legibly, the material 
this License requires to appear in the title page. For works in 
formats which do not have any title page as such, "Title Page" means 
the text near the most prominent appearance of the work's title, 
preceding the beginning of the body of the text. 


The "publisher" means any person or entity that distributes copies of 
the Document to the public. 


A section "Entitled XYZ" means a named subunit of the Document whose 
title either is precisely XYZ or contains XYZ in parentheses following 
text that translates XYZ in another language. (Here XYZ stands for a 
specific section name mentioned below, such as "Acknowledgements", 
"Dedications", "Endorsements", or "History".) To "Preserve the Title" 
of such a section when you modify the Document means that it remains a 
section "Entitled XYZ" according to this definition. 


The Document may include Warranty Disclaimers next to the notice which 
states that this License applies to the Document. These Warranty 
Disclaimers are considered to be included by reference in this 
License, but only as regards disclaiming warranties: any other 
implication that these Warranty Disclaimers may have is void and has 
no effect on the meaning of this License. 


2. VERBATIM COPYING 


You may copy and distribute the Document in any medium, either 
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commercially or noncommercially, provided that this License, the 
copyright notices, and the license notice saying this License applies 
to the Document are reproduced in all copies, and that you add no 
other conditions whatsoever to those of this License. You may not use 
technical measures to obstruct or control the reading or further 
copying of the copies you make or distribute. However, you may accept 
compensation in exchange for copies. If you distribute a large enough 
number of copies you must also follow the conditions in section 3. 


You may also lend copies, under the same conditions stated above, and 
you may publicly display copies. 


3. COPYING IN QUANTETY 


If you publish printed copies (or copies in media that commonly have 
printed covers) of the Document, numbering more than 100, and the 
Document's license notice requires Cover Texts, you must enclose the 
copies in covers that carry, clearly and legibly, all these Cover 
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on 
the back cover. Both covers must also clearly and legibly identify you 
as the publisher of these copies. The front cover must present the 
full title with all words of the title equally prominent and visible. 
You may add other material on the covers in addition. Copying with 
changes limited to the covers, as long as they preserve the title of 
the Document and satisfy these conditions, can be treated as verbatim 
copying in other respects. 


If the required texts for either cover are too voluminous to fit 
legibly, you should put the first ones listed (as many as fit 
reasonably) on the actual cover, and continue the rest onto adjacent 
pages. 


If you publish or distribute Opaque copies of the Document numbering 
more than 100, you must either include a machine-readable Transparent 
copy along with each Opaque copy, or state in or with each Opaque copy 
a computer-network location from which the general network-using 
public has access to download using public-standard network protocols 
a complete Transparent copy of the Document, free of added material. 
If you use the latter option, you must take reasonably prudent steps, 
when you begin distribution of Opaque copies in quantity, to ensure 
that this Transparent copy will remain thus accessible at the stated 
location until at least one year after the last time you distribute an 
Opaque copy (directly or through your agents or retailers) of that 
edition to the public. 


It is requested, but not required, that you contact the authors of the 
Document well before redistributing any large number of copies, to 
give them a chance to provide you with an updated version of the 
Document. 


4. MODIFICATIONS 


You may copy and distribute a Modified Version of the Document under 
the conditions of sections 2 and 3 above, provided that you release 
the Modified Version under precisely this License, with the Modified 
Version filling the role of the Document, thus licensing distribution 
and modification of the Modified Version to whoever possesses a copy 
of it. In addition, you must do these things in the Modified Version: 


* A. Use in the Title Page (and on the covers, if any) a title 
distinct from that of the Document, and from those of previous 
versions (which should, if there were any, be listed in the History 
section of the Document). You may use the same title as a previous 
version if the original publisher of that version gives permission. 
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* B. List on the Title Page, as authors, one or more persons or 
entities responsible for authorship of the modifications in the 
Modified Version, together with at least five of the principal authors 
of the Document (all of its principal authors, if it has fewer than 
five), unless they release you from this requirement. 

* C. State on the Title page the name of the publisher of the 
Modified Version, as the publisher. 

* D. Preserve all the copyright notices of the Document. 

* E. Add an appropriate copyright notice for your modifications 
adjacent to the other copyright notices. 

* F. Include, immediately after the copyright notices, a license 
notice giving the public permission to use the Modified Version under 
the terms of this License, in the form shown in the Addendum below. 

* G. Preserve in that license notice the full lists of Invariant 
Sections and required Cover Texts given in the Document's license 
notice. 

* H. Include an unaltered copy of this License. 

* I. Preserve the section Entitled "History", Preserve its Title, 
and add to it an item stating at least the title, year, new authors, 
and publisher of the Modified Version as given on the Title Page. If 
there is no section Entitled "History" in the Document, create one 
stating the title, year, authors, and publisher of the Document as 
given on its Title Page, then add an item describing the Modified 
Version as stated in the previous sentence. 

* J. Preserve the network location, if any, given in the Document 
for public access to a Transparent copy of the Document, and likewise 
the network locations given in the Document for previous versions it 
was based on. These may be placed in the "History" section. You may 
omit a network location for a work that was published at least four 
years before the Document itself, or if the original publisher of the 
version it refers to gives permission. 

* K. For any section Entitled "Acknowledgements" or "Dedications", 
Preserve the Title of the section, and preserve in the section all the 
substance and tone of each of the contributor acknowledgements and/or 
dedications given therein. 

* L. Preserve all the Invariant Sections of the Document, 
unaltered in their text and in their titles. Section numbers or the 
equivalent are not considered part of the section titles. 

* M. Delete any section Entitled "Endorsements". Such a section 
may not be included in the Modified Version. 

* N. Do not retitle any existing section to be Entitled 
"Endorsements" or to conflict in title with any Invariant Section. 

* O. Preserve any Warranty Disclaimers. 


If the Modified Version includes new front-matter sections or 
appendices that qualify as Secondary Sections and contain no material 
copied from the Document, you may at your option designate some or all 
of these sections as invariant. To do this, add their titles to the 
list of Invariant Sections in the Modified Version's license notice. 
These titles must be distinct from any other section titles. 


You may add a section Entitled "Endorsements", provided it contains 
nothing but endorsements of your Modified Version by various 
parties—for example, statements of peer review or that the text has 
been approved by an organization as the authoritative definition of a 
standard. 


You may add a passage of up to five words as a Front-Cover Text, anda 
passage of up to 25 words as a Back-Cover Text, to the end of the list 
of Cover Texts in the Modified Version. Only one passage of 
Front-Cover Text and one of Back-Cover Text may be added by (or 
through arrangements made by) any one entity. If the Document already 
includes a cover text for the same cover, previously added by you or 
by arrangement made by the same entity you are acting on behalf of, 
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you may not add another; but you may replace the old one, on explicit 
permission from the previous publisher that added the old one. 


The author(s) and publisher(s) of the Document do not by this License 
give permission to use their names for publicity for or to assert or 
imply endorsement of any Modified Version. 


5. COMBINING DOCUMENTS 


You may combine the Document with other documents released under this 
License, under the terms defined in section 4 above for modified 
versions, provided that you include in the combination all of the 
Invariant Sections of all of the original documents, unmodified, and 
list them all as Invariant Sections of your combined work in its 
license notice, and that you preserve all their Warranty Disclaimers. 


The combined work need only contain one copy of this License, and 
multiple identical Invariant Sections may be replaced with a single 
copy. If there are multiple Invariant Sections with the same name but 
different contents, make the title of each such section unique by 
adding at the end of it, in parentheses, the name of the original 
author or publisher of that section if known, or else a unique number. 
Make the same adjustment to the section titles in the list of 
Invariant Sections in the license notice of the combined work. 


In the combination, you must combine any sections Entitled "History" 
in the various original documents, forming one section Entitled 
"History"; likewise combine any sections Entitled "Acknowledgements", 
and any sections Entitled "Dedications". You must delete all sections 
Entitled "Endorsements". 


6. COLLECTIONS OF DOCUMENTS 


You may make a collection consisting of the Document and other 
documents released under this License, and replace the individual 
copies of this License in the various documents with a single copy 
that is included in the collection, provided that you follow the rules 
of this License for verbatim copying of each of the documents in all 
other respects. 


You may extract a single document from such a collection, and 
distribute it individually under this License, provided you insert a 
copy of this License into the extracted document, and follow this 
License in all other respects regarding verbatim copying of that 
document. 


7. AGGREGATION WITH INDEPENDENT WORKS 


A compilation of the Document or its derivatives with other separate 
and independent documents or works, in or on a volume of a storage or 
distribution medium, is called an "aggregate" if the copyright 
resulting from the compilation is not used to limit the legal rights 
of the compilation's users beyond what the individual works permit. 
When the Document is included in an aggregate, this License does not 
apply to the other works in the aggregate which are not themselves 
derivative works of the Document. 


If the Cover Text requirement of section 3 is applicable to these 
copies of the Document, then if the Document is less than one half of 
the entire aggregate, the Document's Cover Texts may be placed on 
covers that bracket the Document within the aggregate, or the 
electronic equivalent of covers if the Document is in electronic form. 
Otherwise they must appear on printed covers that bracket the whole 
aggregate. 
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8. TRANSLATION 


Translation is considered a kind of modification, so you may 
distribute translations of the Document under the terms of section 4. 
Replacing Invariant Sections with translations requires special 
permission from their copyright holders, but you may include 
translations of some or all Invariant Sections in addition to the 
original versions of these Invariant Sections. You may include a 
translation of this License, and all the license notices in the 
Document, and any Warranty Disclaimers, provided that you also include 
the original English version of this License and the original versions 
of those notices and disclaimers. In case of a disagreement between 
the translation and the original version of this License or a notice 
or disclaimer, the original version will prevail. 


If a section in the Document is Entitled "Acknowledgements", 
"Dedications", or "History", the requirement (section 4) to Preserve 
its Title (section 1) will typically require changing the actual 
title. 


9. TERMINATION 


You may not copy, modify, sublicense, or distribute the Document 
except as expressly provided under this License. Any attempt otherwise 
to copy, modify, sublicense, or distribute it is void, and will 
automatically terminate your rights under this License. 


However, if you cease all violation of this License, then your license 
from a particular copyright holder is reinstated (a) provisionally, 
unless and until the copyright holder explicitly and finally 
terminates your license, and (b) permanently, if the copyright holder 
fails to notify you of the violation by some reasonable means prior to 
60 days after the cessation. 


Moreover, your license from a particular copyright holder is 
reinstated permanently if the copyright holder notifies you of the 
violation by some reasonable means, this is the first time you have 
received notice of violation of this License (for any work) from that 
copyright holder, and you cure the violation prior to 30 days after 
your receipt of the notice. 


Termination of your rights under this section does not terminate the 
licenses of parties who have received copies or rights from you under 
this License. If your rights have been terminated and not permanently 
reinstated, receipt of a copy of some or all of the same material does 
not give you any rights to use it. 


10. FUTURE REVISIONS OF THIS LICENSE 


The Free Software Foundation may publish new, revised versions of the 
GNU Free Documentation License from time to time. Such new versions 
will be similar in spirit to the present version, but may differ in 
detail to address new problems or concerns. See 
http://www.gnu.org/copyleft/. 


Each version of the License is given a distinguishing version number. 
If the Document specifies that a particular numbered version of this 
License "or any later version" applies to it, you have the option of 
following the terms and conditions either of that specified version or 
of any later version that has been published (not as a draft) by the 
Free Software Foundation. If the Document does not specify a version 
number of this License, you may choose any version ever published (not 
as a draft) by the Free Software Foundation. If the Document specifies 
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that a proxy can decide which future versions of this License can be 
used, that proxy's public statement of acceptance of a version 
permanently authorizes you to choose that version for the Document. 


11. RELICENSING 


"Massive Multiauthor Collaboration Site" (or "MMC Site") means any 
World Wide Web server that publishes copyrightable works and also 
provides prominent facilities for anybody to edit those works. A 
public wiki that anybody can edit is an example of such a server. A 
"Massive Multiauthor Collaboration" (or "MMC") contained in the site 
means any set of copyrightable works thus published on the MMC site. 


"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 
license published by Creative Commons Corporation, a not-for-profit 
corporation with a principal place of business in San Francisco, 
California, as well as future copyleft versions of that license 
published by that same organization. 


"Incorporate" means to publish or republish a Document, in whole or in 
part, as part of another Document. 


An MMC is "eligible for relicensing" if it is licensed under this 
License, and if all works that were first published under this License 
somewhere other than this MMC, and subsequently incorporated in whole 
or in part into the MMC, (1) had no cover texts or invariant sections, 
and (2) were thus incorporated prior to November 1, 2008. 


The operator of an MMC Site may republish an MMC contained in the site 
under CC-BY-SA on the same site at any time before August 1, 2009, 
provided the MMC is eligible for relicensing. 
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